Summary:


NtAddAtom(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserCallNoParam(>)  7 
NtQueryDefaultLocale(>)  42 

NtAllocateLocallyUniqueId(>)  1 
NtQueryInstallUILanguage(>)  2 
NtCreateThread(>)  8 
NtContinue(>)  45 

NtCallbackReturn(>)  1 
NtSetEvent(>)  2 
NtOpenSymbolicLinkObject(>)  8 
NtCreateEvent(>)  46 

NtDuplicateToken(>)  1 
NtUnlockFile(>)  2 
NtQuerySymbolicLinkObject(>)  8 
NtUserUnregisterClass(>)  47 

NtGdiCreateBitmap(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryVirtualMemory(>)  8 
NtUserFindExistingCursorIcon(>)  49 

NtGdiCreateHalftonePalette(>)  1 
NtUserCreateWindowEx(>)  2 
NtRegisterThreadTerminatePort(>)  8 
NtQueryInformationFile(>)  50 

NtGdiCreatePaletteInternal(>)  1 
NtUserDestroyWindow(>)  2 
NtResumeThread(>)  8 
NtSetInformationFile(>)  50 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtReadVirtualMemory(>)  9 
NtQueryDirectoryFile(>)  51 

NtGdiDoPalette(>)  1 
NtUserMessageCall(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateFile(>)  52 

NtGdiInit(>)  1 
NtYieldExecution(>)  2 
NtUserGetWindowDC(>)  10 
NtDelayExecution(>)  59 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenMutant(>)  3 
NtUserCallOneParam(>)  11 
NtQueryInformationProcess(>)  63 

NtGdiSelectBitmap(>)  1 
NtOpenProcess(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  65 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  3 
NtSetValueKey(>)  13 
NtProtectVirtualMemory(>)  69 

NtQueryFullAttributesFile(>)  1 
NtTerminateThread(>)  3 
NtWriteVirtualMemory(>)  16 
NtUnmapViewOfSection(>)  72 

NtQueryObject(>)  1 
NtUserOpenDesktop(>)  3 
NtNotifyChangeKey(>)  17 
NtCreateSection(>)  73 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  3 
NtOpenProcessToken(>)  17 
NtWaitForSingleObject(>)  74 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  3 
NtCreateKey(>)  18 
NtOpenSection(>)  78 

NtSecureConnectPort(>)  1 
NtConnectPort(>)  4 
NtDeviceIoControlFile(>)  18 
NtReadFile(>)  83 

NtUserBuildNameList(>)  1 
NtCreateProcessEx(>)  4 
NtUserRegisterWindowMessage(>)  19 
NtUserGetClassInfo(>)  91 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtWriteFile(>)  19 
NtQuerySystemInformation(>)  95 

NtUserGetDC(>)  1 
NtOpenEvent(>)  4 
NtQueryVolumeInformationFile(>)  21 
NtOpenProcessTokenEx(>)  112 

NtUserGetForegroundWindow(>)  1 
NtQueryInformationJobObject(>)  4 
NtFsControlFile(>)  22 
NtOpenThreadTokenEx(>)  112 

NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationThread(>)  4 
NtFreeVirtualMemory(>)  23 
NtAllocateVirtualMemory(>)  120 

NtUserGetThreadDesktop(>)  1 
NtQuerySecurityObject(>)  4 
NtRaiseException(>)  23 
NtMapViewOfSection(>)  120 

NtUserKillTimer(>)  1 
NtUserWaitForInputIdle(>)  4 
NtQueryDebugFilterState(>)  26 
NtQueryKey(>)  129 

NtUserSetProp(>)  1 
NtCreateMutant(>)  5 
NtReleaseSemaphore(>)  27 
NtOpenFile(>)  130 

NtUserSetTimer(>)  1 
NtGdiGetStockObject(>)  5 
NtFlushInstructionCache(>)  29 
NtQueryInformationToken(>)  133 

NtUserSetWindowsHookEx(>)  1 
NtSetInformationObject(>)  5 
NtRequestWaitReplyPort(>)  30 
NtUserQueryWindow(>)  134 

NtUserUnhookWindowsHookEx(>)  1 
NtUserBuildHwndList(>)  5 
NtEnumerateKey(>)  31 
NtQueryAttributesFile(>)  183 

NtAccessCheck(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtSetInformationThread(>)  31 
NtQueryValueKey(>)  372 

NtClearEvent(>)  2 
NtCreateSemaphore(>)  6 
NtEnumerateValueKey(>)  33 
NtOpenKey(>)  530 

NtCreateIoCompletion(>)  2 
NtGdiDeleteObjectApp(>)  6 
NtOpenThreadToken(>)  36 
NtClose(>)  713 

NtGdiCreateSolidBrush(>)  2 
NtSetEventBoostPriority(>)  6 
NtSetInformationProcess(>)  36 

NtGdiHfontCreate(>)  2 
NtDuplicateObject(>)  7 
NtQuerySection(>)  37 

NtLockFile(>)  2 

Trace:
 00001   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   388   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   388   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   388   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   388   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   388   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   388   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   388   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   388   NtClose  (12, ... ) == 0x0
 00014   388   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   388   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   388   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   388   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   388   NtClose  (16, ... ) == 0x0
 00021   388   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   388   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   388   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   388   NtClose  (16, ... ) == 0x0
 00026   388   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   388   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   388   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   388   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 388, 1481, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 388, 1481, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 388, 1481, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   388   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   388   NtClose  (16, ... ) == 0x0
 00036   388   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   388   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   388   NtClose  (28, ... ) == 0x0
 00041   388   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   388   NtClose  (28, ... ) == 0x0
 00045   388   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   388   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   388   NtClose  (28, ... ) == 0x0
 00049   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   388   NtClose  (28, ... ) == 0x0
 00052   388   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 388, 1484, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 316, 388, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 388, 1484, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 128, ) == 0x0
 00057   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 128, ... (0x41b000), 114688, 4, ) == 0x0
 00058   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00059   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   388   NtClose  (28, ... ) == 0x0
 00062   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   388   NtClose  (28, ... ) == 0x0
 00065   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00066   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00067   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00068   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   388   NtClose  (28, ... ) == 0x0
 00071   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00072   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00073   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00074   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00076   388   NtClose  (28, ... ) == 0x0
 00077   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00078   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00079   388   NtClose  (28, ... ) == 0x0
 00080   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00082   388   NtClose  (28, ... ) == 0x0
 00083   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00085   388   NtClose  (28, ... ) == 0x0
 00086   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00087   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00088   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00089   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00091   388   NtClose  (28, ... ) == 0x0
 00092   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00094   388   NtClose  (28, ... ) == 0x0
 00095   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00096   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00097   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00098   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00099   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00100   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00101   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   388   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00103   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00106   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00107   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00108   388   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00109   388   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00110   388   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00111   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00113   388   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00114   388   NtClose  (40, ... ) == 0x0
 00115   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00116   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00117   388   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00118   388   NtClose  (40, ... ) == 0x0
 00119   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   388   NtClose  (36, ... ) == 0x0
 00121   388   NtClose  (28, ... ) == 0x0
 00122   388   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00123   388   NtClose  (32, ... ) == 0x0
 00124   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00128   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00129   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00130   388   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00131   388   NtClose  (32, ... ) == 0x0
 00132   388   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00133   388   NtClose  (28, ... ) == 0x0
 00134   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 4, ... (0x41b000), 114688, 64, ) == 0x0
 00135   388   NtProtectVirtualMemory  (-1, (0x41b000), 114688, 64, ... (0x41b000), 114688, 4, ) == 0x0
 00136   388   NtFlushInstructionCache  (-1, 4304896, 114688, ... ) == 0x0
 00137   388   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00138   388   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   388   NtClose  (28, ... ) == 0x0
 00140   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00141   388   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00142   388   NtClose  (28, ... ) == 0x0
 00143   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   388   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   388   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146   388   NtClose  (28, ... ) == 0x0
 00147   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00148   388   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   388   NtClose  (28, ... ) == 0x0
 00150   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00151   388   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00152   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00154   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00155   388   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00156   388   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00157   388   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00158   388   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00159   388   NtClose  (32, ... ) == 0x0
 00160   388   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00161   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00162   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 388, 1498, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 388, 1498, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 388, 1498, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00163   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   388   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00165   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00166   388   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00167   388   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00168   388   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00169   388   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00170   388   NtClose  (-2147482020, ... ) == 0x0
 00171   388   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00172   388   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00173   388   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00174   388   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00175   388   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   388   NtClose  (-2147482020, ... ) == 0x0
 00177   388   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   388   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   388   NtClose  (-2147482020, ... ) == 0x0
 00180   388   NtQueryDefaultLocale  (0, -130774516, ... ) == 0x0
 00181   388   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00182   388   NtUserCallNoParam  (24, ... ) == 0x0
 00183   388   NtGdiCreateCompatibleDC  (0, ...
 00184   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00183   388   NtGdiCreateCompatibleDC  ... ) == 0x1e0103c2
 00185   388   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00186   388   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00187   388   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x160503cb
 00188   388   NtGdiCreateSolidBrush  (0, 0, ...
 00189   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00188   388   NtGdiCreateSolidBrush  ... ) == 0x111003cf
 00190   388   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00191   388   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00192   388   NtGdiSelectBitmap  (1040253964, 369427403, ... ) == 0x185000f
 00193   388   NtUserGetThreadDesktop  (388, 0, ... ) == 0x2c
 00194   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00195   388   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00196   388   NtClose  (52, ... ) == 0x0
 00197   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00199   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00200   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00201   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00202   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00203   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00204   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00205   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00206   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00207   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00208   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00209   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00210   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00211   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00212   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00213   388   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00214   388   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00215   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00216   388   NtAllocateVirtualMemory  (-1, 6516736, 0, 4096, 4096, 32, ... 6516736, 4096, ) == 0x0
 00215   388   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00217   388   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00218   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00219   388   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00220   388   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00221   388   NtCallbackReturn  (0, 0, 0, ...
 00222   388   NtGdiInit  (... ) == 0x1
 00223   388   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00224   388   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00225   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00228   388   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   388   NtClose  (52, ... ) == 0x0
 00230   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00231   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00232   388   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00233   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00236   388   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   388   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   388   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   388   NtClose  (52, ... ) == 0x0
 00240   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00241   388   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   388   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   388   NtClose  (52, ... ) == 0x0
 00244   388   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00245   388   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   388   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   388   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00250   388   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   388   NtClose  (56, ... ) == 0x0
 00252   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00255   388   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   388   NtClose  (56, ... ) == 0x0
 00257   388   NtQueryDefaultUILanguage  (1241756, ...
 00258   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00259   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00260   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00261   388   NtClose  (-2147482020, ... ) == 0x0
 00262   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00263   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00265   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   388   NtClose  (-2147482032, ... ) == 0x0
 00267   388   NtClose  (-2147482020, ... ) == 0x0
 00257   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00268   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   388   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00270   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00271   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00272   388   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8323072, ) == 0x0
 00273   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   388   NtQueryDefaultUILanguage  (2013024600, ...
 00275   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00277   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   388   NtClose  (-2147482020, ... ) == 0x0
 00279   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00280   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00282   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   388   NtClose  (-2147482032, ... ) == 0x0
 00284   388   NtClose  (-2147482020, ... ) == 0x0
 00274   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00285   388   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00286   388   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00287   388   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00288   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1499, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1499, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1499, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\311\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00290   388   NtClose  (56, ... ) == 0x0
 00291   388   NtClose  (60, ... ) == 0x0
 00292   388   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00293   388   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00294   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00295   388   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00297   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00298   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00300   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00301   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00302   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00303   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00304   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00305   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00306   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00307   388   NtClose  (56, ... ) == 0x0
 00308   388   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 921600, ) == 0x0
 00309   388   NtClose  (64, ... ) == 0x0
 00310   388   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00311   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00312   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00313   388   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   388   NtClose  (64, ... ) == 0x0
 00315   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00316   388   NtClose  (56, ... ) == 0x0
 00317   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00318   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00319   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00320   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00321   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00322   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00323   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00324   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00325   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00326   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00327   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00328   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00329   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00330   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00331   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00332   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   388   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   388   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   388   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   388   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00339   388   NtQueryDefaultUILanguage  (1239368, ...
 00340   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00341   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00342   388   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00343   388   NtClose  (-2147482020, ... ) == 0x0
 00344   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00345   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   388   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00347   388   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   388   NtClose  (-2147482032, ... ) == 0x0
 00349   388   NtClose  (-2147482020, ... ) == 0x0
 00339   388   NtQueryDefaultUILanguage  ... ) == 0x0
 00350   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00352   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00353   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00354   388   NtClose  (56, ... ) == 0x0
 00355   388   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00356   388   NtClose  (64, ... ) == 0x0
 00357   388   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00358   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00359   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00360   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00361   388   NtClose  (64, ... ) == 0x0
 00362   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00363   388   NtClose  (56, ... ) == 0x0
 00364   388   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00365   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00366   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00367   388   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00368   388   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00369   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1500, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 1500, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 1500, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00371   388   NtClose  (56, ... ) == 0x0
 00372   388   NtClose  (64, ... ) == 0x0
 00373   388   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00374   388   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00375   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00376   388   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00377   388   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00378   388   NtUserGetDC  (0, ... ) == 0x1010050
 00379   388   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00380   388   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00381   388   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00382   388   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00383   388   NtAccessCheck  (1327448, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00384   388   NtClose  (64, ... ) == 0x0
 00385   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00386   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00387   388   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00388   388   NtClose  (64, ... ) == 0x0
 00389   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00390   388   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00391   388   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00392   388   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   388   NtClose  (56, ... ) == 0x0
 00394   388   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00395   388   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00396   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00397   388   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00399   388   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   388   NtClose  (68, ... ) == 0x0
 00401   388   NtClose  (56, ... ) == 0x0
 00402   388   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00403   388   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00404   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00405   388   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00406   388   NtClose  (56, ... ) == 0x0
 00407   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00409   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00410   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00411   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00412   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00414   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00415   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00416   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00417   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00418   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00419   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00420   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00421   388   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00422   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00424   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00426   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00428   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00429   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00431   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00433   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00434   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00436   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00437   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00438   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00440   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00441   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00442   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00443   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00444   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00446   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00447   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00448   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00449   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00450   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00451   388   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ...
 00452   388   NtAllocateVirtualMemory  (-1, 6520832, 0, 4096, 4096, 32, ... 6520832, 4096, ) == 0x0
 00451   388   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00453   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00454   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00455   388   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00456   388   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00457   388   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00458   388   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00459   388   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   388   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00461   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00462   388   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00463   388   NtClose  (56, ... ) == 0x0
 00464   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 56, ) == 0x0
 00465   388   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00466   388   NtClose  (56, ... ) == 0x0
 00467   388   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00468   388   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00469   388   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00470   388   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00471   388   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00472   388   NtClose  (56, ... ) == 0x0
 00473   388   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00474   388   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00475   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03b
 00478   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03d
 00480   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00481   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00482   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc03f
 00483   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00484   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00485   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc041
 00486   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc043
 00489   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc045
 00491   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00492   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00493   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc047
 00494   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00495   388   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00496   388   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810dc049
 00497   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00498   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00499   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04b
 00500   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00501   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00502   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04d
 00503   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00504   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00505   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc04f
 00506   388   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00507   388   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810dc051
 00508   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00509   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00510   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc053
 00511   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00512   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00513   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc055
 00514   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc057
 00515   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00516   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00517   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc059
 00518   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00519   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00520   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05b
 00521   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00522   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00523   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05d
 00524   388   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00525   388   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00526   388   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810dc05f
 00527   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00528   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00529   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00530   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00531   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00532   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00533   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00534   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00535   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00536   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00537   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00538   388   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00539   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00540   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00541   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00542   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00543   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00544   388   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00545   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00546   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00547   388   NtTestAlert  (... ) == 0x0
 00548   388   NtContinue  (1244464, 1, ...
 00549   388   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x42c000,}, 4, ... ) == 0x0
 00550   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243656, ... ) }, 1243656, ... ) == 0x0
 00551   388   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096}  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096} "\0\0\0\0\2\0\1\08\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 316, 388, 1501, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 316, 388, 1501, 0}  (24, {20, 48, new_msg, 0, 1310720, 1329608, 15, 1312096} "\0\0\0\0\2\0\1\08\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 316, 388, 1501, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00552   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243664,  (0x80100080, {24, 0, 0x40, 0, 1243664, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00553   388   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519815168, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519815168, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00554   388   NtClose  (-2147482020, ... ) == 0x0
 00552   388   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00555   388   NtClose  (56, ... ) == 0x0
 00556   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242912, ... ) }, 1242912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243644,  (0xc0100080, {24, 0, 0x40, 0, 1243644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00558   388   NtClose  (-2147482020, ... ) == 0x0
 00559   388   NtQueryDirectoryFile  (-2147482020, 0, 0, 0, -519815168, 4096, Names, 1,  (-2147482020, 0, 0, 0, -519815168, 4096, Names, 1, "~1.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00560   388   NtClose  (-2147482020, ... ) == 0x0
 00557   388   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00561   388   NtQueryVolumeInformationFile  (56, 1243804, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00562   388   NtQueryInformationFile  (56, 1243696, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   388   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... {status=0x0, info=43520}, ) , 43520, 0x0, 0, ... {status=0x0, info=43520}, ) == 0x0
 00564   388   NtClose  (56, ... ) == 0x0
 00565   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00566   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240368, ... ) }, 1240368, ... ) == 0x0
 00567   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241060, ... ) }, 1241060, ... ) == 0x0
 00568   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00569   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00570   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 72, ) }, ... 72, ) == 0x0
 00572   388   NtQueryValueKey  (72,  (72, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   388   NtClose  (72, ... ) == 0x0
 00574   388   NtQueryVolumeInformationFile  (56, 1240368, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00575   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238352, ... ) }, 1238352, ... ) == 0x0
 00576   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00577   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0
 00578   388   NtClose  (72, ... ) == 0x0
 00579   388   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 106496, ) == 0x0
 00580   388   NtClose  (76, ... ) == 0x0
 00581   388   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00582   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238668, ... ) }, 1238668, ... ) == 0x0
 00583   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00584   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0
 00585   388   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00586   388   NtClose  (76, ... ) == 0x0
 00587   388   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00588   388   NtClose  (72, ... ) == 0x0
 00589   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00590   388   NtQueryInformationFile  (72, 1238956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00591   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00592   388   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x920000), 0x0, 1028096, ) == 0x0
 00593   388   NtQueryInformationFile  (72, 1239052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00594   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00596   388   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00597   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00598   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236616, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00599   388   NtClose  (80, ... ) == 0x0
 00600   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00601   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00602   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00603   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00604   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00605   388   NtClose  (80, ... ) == 0x0
 00606   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00607   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00608   388   NtClose  (80, ... ) == 0x0
 00609   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00610   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00611   388   NtClose  (80, ... ) == 0x0
 00612   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1,  (80, 0, 0, 0, 1235364, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00614   388   NtClose  (80, ... ) == 0x0
 00615   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00616   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00617   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00618   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00619   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00620   388   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00621   388   NtClose  (80, ... ) == 0x0
 00622   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00623   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   388   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00625   388   NtClose  (76, ... ) == 0x0
 00626   388   NtClose  (72, ... ) == 0x0
 00627   388   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00628   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00630   388   NtOpenProcessToken  (-1, 0xa, ... 72, ) == 0x0
 00631   388   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00632   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00634   388   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00635   388   NtQueryValueKey  (76,  (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00636   388   NtClose  (76, ... ) == 0x0
 00637   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00638   388   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00639   388   NtQueryValueKey  (76,  (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (76, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00640   388   NtClose  (76, ... ) == 0x0
 00641   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00643   388   NtQueryValueKey  (76,  (76, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   388   NtClose  (76, ... ) == 0x0
 00645   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00646   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00647   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00648   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00649   388   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00650   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00651   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00652   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00653   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00654   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00655   388   NtQueryDefaultLocale  (1, 1239740, ... ) == 0x0
 00656   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 76, ) }, ... 76, ) == 0x0
 00657   388   NtEnumerateKey  (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (76, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00658   388   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 80, ) }, ... 80, ) == 0x0
 00659   388   NtQueryValueKey  (80,  (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (80, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00660   388   NtQueryValueKey  (80,  (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (80, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   388   NtClose  (80, ... ) == 0x0
 00662   388   NtEnumerateKey  (76, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00663   388   NtClose  (76, ... ) == 0x0
 00664   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00670   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00680   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   388   NtClose  (76, ... ) == 0x0
 00682   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00684   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00685   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00686   388   NtClose  (76, ... ) == 0x0
 00687   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00689   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00690   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00691   388   NtClose  (76, ... ) == 0x0
 00692   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00694   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00695   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00696   388   NtClose  (76, ... ) == 0x0
 00697   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00699   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00700   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00701   388   NtClose  (76, ... ) == 0x0
 00702   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00704   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00705   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00706   388   NtClose  (76, ... ) == 0x0
 00707   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00709   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00710   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00711   388   NtClose  (76, ... ) == 0x0
 00712   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00715   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   388   NtClose  (76, ... ) == 0x0
 00717   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00720   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   388   NtClose  (76, ... ) == 0x0
 00722   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00725   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   388   NtClose  (76, ... ) == 0x0
 00727   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00729   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00730   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00731   388   NtClose  (76, ... ) == 0x0
 00732   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00734   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00735   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00736   388   NtClose  (76, ... ) == 0x0
 00737   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00739   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00740   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00741   388   NtClose  (76, ... ) == 0x0
 00742   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00744   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00745   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00746   388   NtClose  (76, ... ) == 0x0
 00747   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00750   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   388   NtClose  (76, ... ) == 0x0
 00752   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00754   388   NtQueryValueKey  (76,  (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (76, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00755   388   NtClose  (76, ... ) == 0x0
 00756   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00757   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00758   388   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00759   388   NtClose  (76, ... ) == 0x0
 00760   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   388   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00762   388   NtOpenProcessToken  (-1, 0xa, ... 76, ) == 0x0
 00763   388   NtDuplicateToken  (76, 0xc, {24, 0, 0x0, 0, 1240260, 0x0}, 0, 2, ... 80, ) == 0x0
 00764   388   NtClose  (76, ... ) == 0x0
 00765   388   NtAccessCheck  (1337496, 80, 0x1, 1240388, 1240332, 56, 1240416, ... (0x1), ) == 0x0
 00766   388   NtClose  (80, ... ) == 0x0
 00767   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00768   388   NtQueryValueKey  (80,  (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   388   NtClose  (80, ... ) == 0x0
 00770   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 80, ) }, ... 80, ) == 0x0
 00771   388   NtQuerySymbolicLinkObject  (80, ...  (80, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00772   388   NtClose  (80, ... ) == 0x0
 00773   388   NtQueryInformationFile  (56, 1238720, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 00774   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00775   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00776   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 00777   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00778   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00779   388   NtClose  (80, ... ) == 0x0
 00780   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00781   388   NtQueryDirectoryFile  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1,  (80, 0, 0, 0, 1236760, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00782   388   NtClose  (80, ... ) == 0x0
 00783   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00784   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00785   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00786   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00787   388   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00788   388   NtClose  (80, ... ) == 0x0
 00789   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00790   388   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 76, ) }, ... 76, ) == 0x0
 00791   388   NtClose  (80, ... ) == 0x0
 00792   388   NtQueryValueKey  (76,  (76, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00793   388   NtQueryValueKey  (76,  (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (76, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00794   388   NtClose  (76, ... ) == 0x0
 00795   388   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3604480, 4096, ) == 0x0
 00796   388   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00797   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00798   388   NtQueryValueKey  (76,  (76, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   388   NtClose  (76, ... ) == 0x0
 00800   388   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   388   NtQueryInformationToken  (72, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   388   NtQueryInformationToken  (72, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00803   388   NtClose  (72, ... ) == 0x0
 00804   388   NtCreateProcessEx  (1242996, 2035711, 0, -1, 0, 68, 0, 0, 0, ... ) == 0x0
 00805   388   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 00806   388   NtReadVirtualMemory  (72, 0x7ffdf008, 4, ...  (72, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00807   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   388   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00809   388   NtReadVirtualMemory  (72, 0x9800000, 4096, ...  (72, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00810   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00811   388   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 00812   388   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 3735552, 4096, ) == 0x0
 00813   388   NtAllocateVirtualMemory  (72, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00814   388   NtWriteVirtualMemory  (72, 0x10000,  (72, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00815   388   NtAllocateVirtualMemory  (72, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 00816   388   NtWriteVirtualMemory  (72, 0x20000,  (72, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 00817   388   NtWriteVirtualMemory  (72, 0x7ffdf010,  (72, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00818   388   NtWriteVirtualMemory  (72, 0x7ffdf1e8,  (72, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00819   388   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 4096, ) == 0x0
 00820   388   NtAllocateVirtualMemory  (72, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00821   388   NtAllocateVirtualMemory  (72, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00822   388   NtProtectVirtualMemory  (72, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00823   388   NtCreateThread  (0x1f03ff, 0x0, 72, 1241260, 1241980, 1, ... 76, {364, 564}, ) == 0x0
 00824   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1502, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 1502, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243080} "\0\0\0\0\0\0\1\0\2$\370w U\367wK\0\0\0L\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 1502, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wH\0\0\0L\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00825   388   NtResumeThread  (76, ... 1, ) == 0x0
 00826   388   NtClose  (56, ... ) == 0x0
 00827   388   NtClose  (68, ... ) == 0x0
 00828   388   NtQueryInformationProcess  (72, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 00829   388   NtUserWaitForInputIdle  (364, 30000, 0, ...
 00830   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00831   388   NtClose  (68, ... ) == 0x0
 00829   388   NtUserWaitForInputIdle  ... ) == 0x102
 00832   388   NtClose  (72, ... ) == 0x0
 00833   388   NtClose  (76, ... ) == 0x0
 00834   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00835   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00836   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00837   388   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00838   388   NtClose  (76, ... ) == 0x0
 00839   388   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00840   388   NtClose  (-2147482104, ... ) == 0x0
 00839   388   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00841   388   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00842   388   NtClose  (76, ... ) == 0x0
 00843   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00844   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00845   388   NtQueryVolumeInformationFile  (76, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00846   388   NtQueryInformationFile  (76, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00847   388   NtQueryInformationFile  (76, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   388   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00849   388   NtSetInformationFile  (76, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00850   388   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00851   388   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9568256, 524288, ) == 0x0
 00852   388   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00853   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00855   388   NtClose  (-2147482104, ... ) == 0x0
 00854   388   NtCreateFile  ... 72, {status=0x0, info=2}, ) == 0x0
 00856   388   NtQueryVolumeInformationFile  (72, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00857   388   NtQueryInformationFile  (72, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00858   388   NtAllocateVirtualMemory  (-1, 1347584, 0, 36864, 4096, 4, ... 1347584, 36864, ) == 0x0
 00859   388   NtAllocateVirtualMemory  (-1, 1384448, 0, 36864, 4096, 4, ... 1384448, 36864, ) == 0x0
 00860   388   NtQueryInformationFile  (76, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00861   388   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00862   388   NtSetInformationFile  (76, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00863   388   NtReadFile  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (76, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00864   388   NtSetInformationFile  (76, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00865   388   NtSetInformationFile  (72, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00866   388   NtReadFile  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (76, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00867   388   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00868   388   NtWriteFile  (72, 0, 0, 0,  (72, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00869   388   NtQueryInformationFile  (76, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00870   388   NtSetInformationFile  (72, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00871   388   NtFreeVirtualMemory  (-1, (0x147000), 81920, 16384, ... (0x147000), 81920, ) == 0x0
 00872   388   NtClose  (72, ... ) == 0x0
 00873   388   NtClose  (76, ... ) == 0x0
 00874   388   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00875   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00876   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00877   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 72, ) == 0x0
 00878   388   NtClose  (76, ... ) == 0x0
 00879   388   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 36864, ) == 0x0
 00880   388   NtClose  (72, ... ) == 0x0
 00881   388   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00882   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00883   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00884   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00885   388   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00886   388   NtClose  (72, ... ) == 0x0
 00887   388   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00888   388   NtClose  (76, ... ) == 0x0
 00889   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00890   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00891   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00892   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00893   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00894   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00895   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00896   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00897   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00898   388   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00899   388   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00900   388   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00901   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00902   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00903   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00904   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00905   388   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00906   388   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3003b
 00907   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10092544, 1048576, ) == 0x0
 00908   388   NtAllocateVirtualMemory  (-1, 11132928, 0, 8192, 4096, 4, ... 11132928, 8192, ) == 0x0
 00909   388   NtProtectVirtualMemory  (-1, (0xa9e000), 4096, 260, ... (0xa9e000), 4096, 4, ) == 0x0
 00910   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 72, {316, 1508}, ) == 0x0
 00911   388   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=316,Tid=1508,}, 0x0, ) == 0x0
 00912   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0<\1\0\0\344\5\0\0" ... {28, 56, reply, 0, 316, 388, 2263, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0\344\5\0\0" )  ... {28, 56, reply, 0, 316, 388, 2263, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0H\0\0\0<\1\0\0\344\5\0\0" ... {28, 56, reply, 0, 316, 388, 2263, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0H\0\0\0<\1\0\0\344\5\0\0" )  ) == 0x0
 00913   388   NtResumeThread  (72, ... 1, ) == 0x0
 00914   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11141120, 1048576, ) == 0x0
 00915  1508   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 68, ) == 0x0
 00916  1508   NtWaitForSingleObject  (68, 0, 0x0, ...
 00917   388   NtAllocateVirtualMemory  (-1, 12181504, 0, 8192, 4096, 4, ... 12181504, 8192, ) == 0x0
 00918   388   NtProtectVirtualMemory  (-1, (0xb9e000), 4096, 260, ... (0xb9e000), 4096, 4, ) == 0x0
 00919   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 56, {316, 1512}, ) == 0x0
 00920   388   NtQueryInformationThread  (56, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=316,Tid=1512,}, 0x0, ) == 0x0
 00921   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 388, 2263, 0}  (24, {28, 56, new_msg, 0, 316, 388, 2263, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0<\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 316, 388, 2264, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0<\1\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 316, 388, 2264, 0}  (24, {28, 56, new_msg, 0, 316, 388, 2263, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0<\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 316, 388, 2264, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\08\0\0\0<\1\0\0\350\5\0\0" )  ) == 0x0
 00922   388   NtResumeThread  (56, ... 1, ) == 0x0
 00923   388   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00924   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12189696, 1048576, ) == 0x0
 00925   388   NtAllocateVirtualMemory  (-1, 13230080, 0, 8192, 4096, 4, ...
 00926  1512   NtWaitForSingleObject  (68, 0, 0x0, ...
 00925   388   NtAllocateVirtualMemory  ... 13230080, 8192, ) == 0x0
 00927   388   NtProtectVirtualMemory  (-1, (0xc9e000), 4096, 260, ... (0xc9e000), 4096, 4, ) == 0x0
 00928   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {316, 1516}, ) == 0x0
 00929   388   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=316,Tid=1516,}, 0x0, ) == 0x0
 00930   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 388, 2264, 0}  (24, {28, 56, new_msg, 0, 316, 388, 2264, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0<\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 316, 388, 2265, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0<\1\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 316, 388, 2265, 0}  (24, {28, 56, new_msg, 0, 316, 388, 2264, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0<\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 316, 388, 2265, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0<\1\0\0\354\5\0\0" )  ) == 0x0
 00931   388   NtResumeThread  (80, ... 1, ) == 0x0
 00932  1516   NtWaitForSingleObject  (68, 0, 0x0, ...
 00933   388   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   388   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... 84, ) }, {20480, 0}, 4, 134217728, 0, ... 84, ) == 0x0
 00935   388   NtSetEventBoostPriority  (68, ...
 00916  1508   NtWaitForSingleObject  ... ) == 0x0
 00936  1508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00937  1508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00938  1508   NtSetEventBoostPriority  (68, ...
 00926  1512   NtWaitForSingleObject  ... ) == 0x0
 00939  1512   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00940  1512   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00941  1512   NtSetEventBoostPriority  (68, ...
 00932  1516   NtWaitForSingleObject  ... ) == 0x0
 00942  1516   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00943  1516   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00944  1516   NtTestAlert  (... ) == 0x0
 00945  1516   NtContinue  (13237552, 1, ...
 00946  1516   NtRegisterThreadTerminatePort  (24, ...
 00941  1512   NtSetEventBoostPriority  ... ) == 0x0
 00938  1508   NtSetEventBoostPriority  ... ) == 0x0
 00935   388   NtSetEventBoostPriority  ... ) == 0x0
 00947  1512   NtTestAlert  (...
 00948  1508   NtTestAlert  (...
 00946  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 00947  1512   NtTestAlert  ... ) == 0x0
 00948  1508   NtTestAlert  ... ) == 0x0
 00949  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 00950   388   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00951  1512   NtContinue  (12188976, 1, ...
 00950   388   NtMapViewOfSection  ... (0x390000), {0, 0}, 20480, ) == 0x0
 00952  1512   NtRegisterThreadTerminatePort  (24, ...
 00953   388   NtUnmapViewOfSection  (-1, 0x390000, ...
 00952  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 00953   388   NtUnmapViewOfSection  ... ) == 0x0
 00954  1512   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... }, ...
 00955   388   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ...
 00954  1512   NtOpenKey  ... 88, ) == 0x0
 00955   388   NtAllocateVirtualMemory  ... 1339392, 4096, ) == 0x0
 00956  1512   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 00957  1508   NtContinue  (11140400, 1, ...
 00958   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243652, ... }, 1243652, ...
 00959  1508   NtRegisterThreadTerminatePort  (24, ...
 00958   388   NtQueryAttributesFile  ... ) == 0x0
 00959  1508   NtRegisterThreadTerminatePort  ... ) == 0x0
 00960   388   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1310720, 8, 0, 1311120}  (24, {20, 48, new_msg, 0, 1310720, 8, 0, 1311120} "\0\0\0\0\2\0\1\0\\1\24\0\0\0\0\0\215\26\365w" ...  ...
 00961  1508   NtDelayExecution  (0, {-40960000, -1}, ...
 00960   388   NtRequestWaitReplyPort  ... {20, 48, reply, 0, 316, 388, 2266, 0}  ... {20, 48, reply, 0, 316, 388, 2266, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\0\0\0\0\3\0\0\0" )  ) == 0x0
 00962   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243660,  (0x80100080, {24, 0, 0x40, 0, 1243660, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00963   388   NtQueryDirectoryFile  (-2147482104, 0, 0, 0, -519884800, 4096, Names, 1,  (-2147482104, 0, 0, 0, -519884800, 4096, Names, 1, "~3.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00964   388   NtClose  (-2147482104, ... ) == 0x0
 00956  1512   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00965  1512   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00966  1512   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00967  1512   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00968  1512   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00969  1512   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00970  1512   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00962   388   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00971   388   NtClose  (100, ... ) == 0x0
 00972   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243640,  (0xc0100080, {24, 0, 0x40, 0, 1243640, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00974   388   NtClose  (-2147482104, ... ) == 0x0
 00975   388   NtQueryDirectoryFile  (-2147482104, 0, 0, 0, -519884800, 4096, Names, 1,  (-2147482104, 0, 0, 0, -519884800, 4096, Names, 1, "~3.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00970  1512   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00976  1512   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1512   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00978  1512   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00979  1512   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00980  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00981  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00982   388   NtClose  (-2147482104, ... ) == 0x0
 00973   388   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00983   388   NtQueryVolumeInformationFile  (108, 1243800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00984   388   NtQueryInformationFile  (108, 1243692, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00985   388   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... , 43520, 0x0, 0, ...
 00981  1512   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00986  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00987  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\334\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\331\3\0\0<\1\0\0\204\1\0\0\310\0\0\0\1\0\1\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\252\0\0\334\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\335\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\336\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\334\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\331\3\0\0<\1\0\0\204\1\0\0\310\0\0\0\1\0\1\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\252\0\0\334\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\335\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\335\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\336\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\336\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\337\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"}, 900, ) == 0x0
 00988  1512   NtClose  (104, ...
 00985   388   NtWriteFile  ... {status=0x0, info=43520}, ) == 0x0
 00988  1512   NtClose  ... ) == 0x0
 00989  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00990  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00992  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\341\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\341\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\343\3\0\0<\1\0\0\204\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\343\3\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\3\0\0<\1\0\0\204\1\0\0\357\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\344\3\0\0<\1\0\0\204\1\0\0\357\0\0\0\1\0\1\0"\0\0\300\0\0\0\0\345\3\0\0<\1\0\0\204\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\224\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0x\355\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0b\0\32\2\240 \24\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0O\0C\0U\0M\0E\0~\01\0\\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\341\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\341\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\343\3\0\0<\1\0\0\204\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\343\3\0\0<\1\0\0\204\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\3\0\0<\1\0\0\204\1\0\0\357\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\344\3\0\0<\1\0\0\204\1\0\0\357\0\0\0\1\0\1\0"\0\0\300\0\0\0\0\345\3\0\0<\1\0\0\204\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\224\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0x\355\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0b\0\32\2\240 \24\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0O\0C\0U\0M\0E\0~\01\0\\0"}, 900, ) \0\0\300\0\0\0\0\345\3\0\0<\1\0\0\204\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\224\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0x\355\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0b\0\32\2\240 \24\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0O\0C\0U\0M\0E\0~\01\0\\0"}, 900, ) == 0x0
 00993  1512   NtClose  (104, ... ) == 0x0
 00994  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... }, ...
 00995   388   NtClose  (108, ... ) == 0x0
 00996   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00997   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00998   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00999   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01000   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ...
 00994  1512   NtOpenKey  ... 104, ) == 0x0
 01001  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01002  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01003  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\354\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\355\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01004  1512   NtClose  (104, ... ) == 0x0
 01005  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 01006  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01007  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01008  1512   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01009  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\362\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\363\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01010  1512   NtClose  (104, ... ) == 0x0
 01011  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 01012  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01013  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01014  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\367\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\370\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\371\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01015  1512   NtClose  (104, ... ) == 0x0
 01016  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 01017  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01019  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\374\3\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\375\3\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\376\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\3\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01020  1512   NtClose  (104, ... ) == 0x0
 01021  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 01022  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01023  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01024  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\1\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\2\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\3\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01025  1512   NtClose  (104, ... ) == 0x0
 01026  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 01027  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01028  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01029  1512   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01030  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\7\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\10\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\11\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01031  1512   NtClose  (104, ... ) == 0x0
 01032  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 01033  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01034  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01035  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\14\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\15\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\16\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01036  1512   NtClose  (104, ... ) == 0x0
 01037  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 01038  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01039  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01040  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\21\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300m\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\22\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\23\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\4\0\0<\1\0\0\350\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01041  1512   NtClose  (104, ... ) == 0x0
 01042  1512   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 01043  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01044  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01045  1512   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\26\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\27\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0<\1\0\0\350\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0<\1\0\0\350\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0<\1\0\0\350\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0<\1\0\0\350\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`l\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\26\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\26\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\27\4\0\0<\1\0\0\350\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\4\0\0<\1\0\0\350\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\4\0\0<\1\0\0\350\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\31\4\0\0<\1\0\0\350\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\31\4\0\0<\1\0\0\350\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\4\0\0<\1\0\0\350\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\271\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`l\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01046  1512   NtClose  (104, ... ) == 0x0
 01047  1512   NtClose  (100, ... ) == 0x0
 01048  1512   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 01049  1512   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 01050  1512   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 01051  1512   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01052  1512   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01053  1512   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054  1512   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055  1512   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01056  1512   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 01057  1512   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 01058  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01059  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01060  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01061  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01062  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01063  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01064  1512   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01065  1512   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066  1512   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01067  1512   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1512   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069  1512   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070  1512   NtClose  (116, ... ) == 0x0
 01071  1512   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01072  1512   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01073  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01075  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01076  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01077  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01078  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01079  1512   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01080  1512   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081  1512   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1512   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083  1512   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084  1512   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01085  1512   NtClose  (116, ... ) == 0x0
 01086  1512   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01087  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01088  1512   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01089  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01090  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01091  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01092  1512   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01093  1512   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01094  1512   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095  1512   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01096  1512   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01097  1512   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01098  1512   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099  1512   NtClose  (116, ... ) == 0x0
 01100  1512   NtClose  (112, ... ) == 0x0
 01101  1512   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01102  1512   NtClose  (88, ... ) == 0x0
 01103  1512   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01104  1512   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01105  1512   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 01106  1512   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107  1512   NtClose  (88, ... ) == 0x0
 01108  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 01109  1512   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 01110  1512   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01111  1512   NtQueryInformationFile  (112, 1354208, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01112  1512   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13238272, 1052672, ) == 0x0
 01113  1512   NtAllocateVirtualMemory  (-1, 13238272, 0, 235, 4096, 4, ... 13238272, 4096, ) == 0x0
 01114  1512   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01115  1512   NtFreeVirtualMemory  (-1, (0xca0000), 1052672, 32768, ... (0xca0000), 1052672, ) == 0x0
 01116  1512   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1512, ... ) == STATUS_RANGE_NOT_LOCKED
 01117  1512   NtClose  (112, ... ) == 0x0
 01118  1512   NtOpenProcessToken  (-1, 0x8, ... 112, ) == 0x0
 01119  1512   NtQueryInformationToken  (112, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01120  1512   NtClose  (112, ... ) == 0x0
 01121  1512   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01122  1512   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 01123  1512   NtQueryInformationFile  (112, 1354208, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01124  1512   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 13238272, 1052672, ) == 0x0
 01125  1512   NtAllocateVirtualMemory  (-1, 13238272, 0, 235, 4096, 4, ... 13238272, 4096, ) == 0x0
 01126  1512   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 01127  1512   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=58265rywha50035\15\12", 38, {231, 0}, 2012046884, ... {status=0x0, info=38}, ) , 38, {231, 0}, 2012046884, ... {status=0x0, info=38}, ) == 0x0
 01128  1512   NtSetInformationFile  (112, 12188840, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01129  1512   NtFreeVirtualMemory  (-1, (0xca0000), 1052672, 32768, ... (0xca0000), 1052672, ) == 0x0
 01130  1512   NtUnlockFile  (112, {0, 0}, {-1, -1}, 1512, ... ) == STATUS_RANGE_NOT_LOCKED
 01131  1512   NtClose  (112, ... ) == 0x0
 01132  1512   NtDelayExecution  (0, {-122880000, -1}, ...
 01000   388   NtCreateSection  ... 112, ) == 0x0
 01133   388   NtQueryVolumeInformationFile  (108, 1240364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01134   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 01135   388   NtQueryInformationFile  (116, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01136   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 116, ... 120, ) == 0x0
 01137   388   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 1028096, ) == 0x0
 01138   388   NtQueryInformationFile  (116, 1239048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01139   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01141   388   NtQueryDirectoryFile  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236612, 616, BothDirectory, 1, "~3.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01142   388   NtClose  (124, ... ) == 0x0
 01143   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01144   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01145   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 01146   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01147   388   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01148   388   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01149   388   NtClose  (124, ... ) == 0x0
 01150   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01151   388   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01152   388   NtClose  (124, ... ) == 0x0
 01153   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01154   388   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01155   388   NtClose  (124, ... ) == 0x0
 01156   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 01157   388   NtQueryDirectoryFile  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (124, 0, 0, 0, 1235360, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01158   388   NtClose  (124, ... ) == 0x0
 01159   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01160   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01161   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01162   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01163   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01164   388   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01165   388   NtClose  (124, ... ) == 0x0
 01166   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   388   NtUnmapViewOfSection  (-1, 0xca0000, ... ) == 0x0
 01169   388   NtClose  (120, ... ) == 0x0
 01170   388   NtClose  (116, ... ) == 0x0
 01171   388   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01172   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01174   388   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 01175   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01176   388   NtQueryValueKey  (120,  (120, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01177   388   NtQueryValueKey  (120,  (120, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (120, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01178   388   NtClose  (120, ... ) == 0x0
 01179   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 01180   388   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01181   388   NtClose  (120, ... ) == 0x0
 01182   388   NtQueryInformationFile  (108, 1238716, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01183   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01184   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01185   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~3.tmp.exe"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 01186   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01187   388   NtQueryDirectoryFile  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01188   388   NtClose  (120, ... ) == 0x0
 01189   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01190   388   NtQueryDirectoryFile  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01191   388   NtClose  (120, ... ) == 0x0
 01192   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01193   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01194   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01195   388   NtQueryValueKey  (120,  (120, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   388   NtClose  (120, ... ) == 0x0
 01197   388   NtQueryInformationToken  (116, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   388   NtQueryInformationToken  (116, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01199   388   NtClose  (116, ... ) == 0x0
 01200   388   NtCreateProcessEx  (1242992, 2035711, 0, -1, 0, 112, 0, 0, 0, ... ) == 0x0
 01201   388   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1520,ParentPid=316,}, 0x0, ) == 0x0
 01202   388   NtReadVirtualMemory  (116, 0x7ffdf008, 4, ...  (116, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01203   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~3.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   388   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01205   388   NtReadVirtualMemory  (116, 0x9800000, 4096, ...  (116, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01206   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01207   388   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1520,ParentPid=316,}, 0x0, ) == 0x0
 01208   388   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 3735552, 4096, ) == 0x0
 01209   388   NtAllocateVirtualMemory  (116, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01210   388   NtWriteVirtualMemory  (116, 0x10000,  (116, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01211   388   NtAllocateVirtualMemory  (116, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01212   388   NtWriteVirtualMemory  (116, 0x20000,  (116, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01213   388   NtWriteVirtualMemory  (116, 0x7ffdf010,  (116, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01214   388   NtWriteVirtualMemory  (116, 0x7ffdf1e8,  (116, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01215   388   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 4096, ) == 0x0
 01216   388   NtAllocateVirtualMemory  (116, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01217   388   NtAllocateVirtualMemory  (116, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01218   388   NtProtectVirtualMemory  (116, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01219   388   NtCreateThread  (0x1f03ff, 0x0, 116, 1241256, 1241976, 1, ... 120, {1520, 340}, ) == 0x0
 01220   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243076}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367ww\0\0\0x\0\0\0\360\5\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2267, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wt\0\0\0x\0\0\0\360\5\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 2267, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1329880, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367ww\0\0\0x\0\0\0\360\5\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2267, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wt\0\0\0x\0\0\0\360\5\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01221   388   NtResumeThread  (120, ... 1, ) == 0x0
 01222   388   NtClose  (108, ... ) == 0x0
 01223   388   NtClose  (112, ... ) == 0x0
 01224   388   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1520,ParentPid=316,}, 0x0, ) == 0x0
 01225   388   NtUserWaitForInputIdle  (1520, 30000, 0, ...
 01226   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01227   388   NtClose  (112, ... ) == 0x0
 00949  1516   NtDelayExecution  ... ) == 0x0
 01228  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3735552, 65536, ) == 0x0
 01229  1516   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01230  1516   NtCreateSection  (0xf0007, 0x0, {13396, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01231  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 16384, ) == 0x0
 01232  1516   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01233  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 16384, ) == 0x0
 01234  1516   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 65536, ) == 0x0
 01235  1516   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01236  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01237  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01238  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01239  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01240  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01241  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01242  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01243  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01244  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01245  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01246  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01247  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01248  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01249  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01250  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01251  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01252  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01253  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01254  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01255  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01256  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01257  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01258  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01259  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01260  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01261  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01262  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01263  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01264  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01265  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01266  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01267  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01268  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01269  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01270  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01271  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01272  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01273  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01274  1516   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 16384, ) == 0x0
 01275  1516   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01276  1516   NtContinue  (13234856, 0, ...
 01277  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 00961  1508   NtDelayExecution  ... ) == 0x0
 01278  1508   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01279  1508   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01280  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 11139004, ... ) }, 11139004, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282  1508   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 11139004, ... ) }, 11139004, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 11139004, ... ) }, 11139004, ... ) == 0x0
 01284  1508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01285  1508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 124, ) == 0x0
 01286  1508   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01287  1508   NtClose  (108, ... ) == 0x0
 01288  1508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 01289  1508   NtClose  (124, ... ) == 0x0
 01290  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291  1508   NtAllocateVirtualMemory  (-1, 11128832, 0, 4096, 4096, 260, ... 11128832, 4096, ) == 0x0
 01292  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 11138200, ... ) }, 11138200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293  1508   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 11138200, ... ) }, 11138200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 11138200, ... ) }, 11138200, ... ) == 0x0
 01295  1508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01296  1508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 108, ) == 0x0
 01297  1508   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01298  1508   NtClose  (124, ... ) == 0x0
 01299  1508   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 01300  1508   NtClose  (108, ... ) == 0x0
 01301  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 11137396, ... ) }, 11137396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303  1508   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 11137396, ... ) }, 11137396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 11137396, ... ) }, 11137396, ... ) == 0x0
 01305  1508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01306  1508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 124, ) == 0x0
 01307  1508   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01308  1508   NtClose  (108, ... ) == 0x0
 01309  1508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01310  1508   NtClose  (124, ... ) == 0x0
 01311  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01312  1508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01313  1508   NtClose  (124, ... ) == 0x0
 01314  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01315  1508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01316  1508   NtClose  (124, ... ) == 0x0
 01317  1508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 124, ) }, ... 124, ) == 0x0
 01318  1508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01319  1508   NtClose  (124, ... ) == 0x0
 01320  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1508   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01322  1508   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 11139136, 0,  (0x1f0003, {24, 52, 0x80, 11139136, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01323  1508   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 124, ) }, ... 124, ) == 0x0
 01324  1508   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01325  1508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01326  1508   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 01327  1508   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 01328  1508   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 01329  1508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01330  1508   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13238272, 1048576, ) == 0x0
 01331  1508   NtAllocateVirtualMemory  (-1, 13238272, 0, 1048576, 4096, 4, ... 13238272, 1048576, ) == 0x0
 01332  1508   NtCreateMutant  (0x1f0001, 0x0, 0, ... 108, ) == 0x0
 01333  1508   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01334  1508   NtCreateMutant  (0x1f0001, 0x0, 0, ... 132, ) == 0x0
 01335  1508   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 136, ) == 0x0
 01336  1508   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 140, ) == 0x0
 01337  1508   NtSetEvent  (140, ... 0x0, ) == 0x0
 01338  1508   NtDelayExecution  (0, {-40960000, -1}, ...
 01277  1516   NtDelayExecution  ... ) == 0x0
 01339  1516   NtContinue  (13234856, 0, ...
 01340  1516   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01341  1516   NtContinue  (13234856, 0, ...
 01342  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01338  1508   NtDelayExecution  ... ) == 0x0
 01343  1508   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01344  1508   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 11140848,  (0x40100080, {24, 0, 0x40, 0, 11140848, "\??\C:\KUKU300a"}, 0x0, 32, 2, 5, 96, 0, 0, ... }, 0x0, 32, 2, 5, 96, 0, 0, ...
 01345  1508   NtClose  (-2147482028, ... ) == 0x0
 01344  1508   NtCreateFile  ... 144, {status=0x0, info=2}, ) == 0x0
 01346  1508   NtClose  (144, ... ) == 0x0
 01347  1508   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\KUKU300a"}, 7, 2113600, ... 144, {status=0x0, info=1}, ) }, 7, 2113600, ... 144, {status=0x0, info=1}, ) == 0x0
 01348  1508   NtQueryInformationFile  (144, 11140912, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01349  1508   NtSetInformationFile  (144, 11140963, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01350  1508   NtClose  (144, ... ) == 0x0
 01351  1508   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01352  1508   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01353  1508   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01354  1508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 01355  1508   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "ActiveComputerName"}, ... 152, ) }, ... 152, ) == 0x0
 01356  1508   NtQueryValueKey  (152,  (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01357  1508   NtClose  (152, ... ) == 0x0
 01358  1508   NtClose  (148, ... ) == 0x0
 01359  1508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01360  1508   NtQueryValueKey  (148,  (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01361  1508   NtClose  (148, ... ) == 0x0
 01362  1508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363  1508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01364  1508   NtQueryValueKey  (148,  (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01365  1508   NtClose  (148, ... ) == 0x0
 01366  1508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01367  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 148, ) }, ... 148, ) == 0x0
 01369  1508   NtQueryValueKey  (148,  (148, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370  1508   NtClose  (148, ... ) == 0x0
 01371  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372  1508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01373  1508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01374  1508   NtQuerySystemTime  (... {1900448072, 29889243}, ) == 0x0
 01375  1508   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01376  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  1508   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01378  1508   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01379  1508   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01380  1508   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01381  1508   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01382  1508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01383  1508   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "ActiveComputerName"}, ... 172, ) }, ... 172, ) == 0x0
 01384  1508   NtQueryValueKey  (172,  (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01385  1508   NtClose  (172, ... ) == 0x0
 01386  1508   NtClose  (168, ... ) == 0x0
 01387  1508   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 168, ) == 0x0
 01388  1508   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 172, ) == 0x0
 01389  1508   NtDuplicateObject  (-1, 168, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01390  1508   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01391  1508   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01392  1508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01393  1508   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01394  1508   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01395  1508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11137948,  (0xc0100080, {24, 0, 0x40, 0, 11137948, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01396  1508   NtSetInformationFile  (184, 11138004, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01397  1508   NtSetInformationFile  (184, 11137996, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01398  1508   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01399  1508   NtWriteFile  (184, 161, 0, 0,  (184, 161, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01400  1508   NtReadFile  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\36\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01401  1508   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\36\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=68},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\36\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01402  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 11140016, ... ) }, 11140016, ... ) == 0x0
 01403  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01404  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01405  1508   NtClose  (188, ... ) == 0x0
 01406  1508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11139996,  (0xc0100080, {24, 0, 0x40, 0, 11139996, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01407  1508   NtQueryInformationFile  (-1, 11140048, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01408  1508   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01409  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01410  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01411  1508   NtClose  (188, ... ) == 0x0
 01412  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01342  1516   NtDelayExecution  ... ) == 0x0
 01413  1516   NtContinue  (13234856, 0, ...
 01414  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01412  1508   NtDelayExecution  ... ) == 0x0
 01415  1508   NtEnumerateValueKey  (144, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01416  1508   NtClose  (144, ... ) == 0x0
 01417  1508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01418  1508   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01419  1508   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01420  1508   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01421  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 11140016, ... ) }, 11140016, ... ) == 0x0
 01422  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01423  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01424  1508   NtClose  (188, ... ) == 0x0
 01425  1508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11139996,  (0xc0100080, {24, 0, 0x40, 0, 11139996, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01426  1508   NtQueryInformationFile  (-1, 11140048, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01427  1508   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01428  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01429  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01430  1508   NtClose  (188, ... ) == 0x0
 01431  1508   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01432  1508   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01433  1508   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01434  1508   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01435  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 11140016, ... ) }, 11140016, ... ) == 0x0
 01436  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01437  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01438  1508   NtClose  (188, ... ) == 0x0
 01439  1508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11139996,  (0xc0100080, {24, 0, 0x40, 0, 11139996, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01440  1508   NtQueryInformationFile  (-1, 11140048, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01441  1508   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01442  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01443  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01444  1508   NtClose  (188, ... ) == 0x0
 01445  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01414  1516   NtDelayExecution  ... ) == 0x0
 01446  1516   NtContinue  (13234856, 0, ...
 01447  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01445  1508   NtDelayExecution  ... ) == 0x0
 01448  1508   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0h\0a\0p\0o\0c\0y\0d\0h\0i\0y\0g\0h\0.\0e\0x\0e\0\0\0"}, 104, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0h\0a\0p\0o\0c\0y\0d\0h\0i\0y\0g\0h\0.\0e\0x\0e\0\0\0"}, 104, ) }, 104, ) == 0x0
 01449  1508   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0h\0a\0p\0o\0c\0y\0d\0h\0i\0y\0g\0h\0.\0e\0x\0e\0\0\0"}, 104, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0h\0a\0p\0o\0c\0y\0d\0h\0i\0y\0g\0h\0.\0e\0x\0e\0\0\0"}, 104, ) }, 104, ) == 0x0
 01450  1508   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\4\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0O\0H\0A\0P\0O\0C\0Y\0D\0H\0I\0Y\0G\0H\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\4\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0O\0H\0A\0P\0O\0C\0Y\0D\0H\0I\0Y\0G\0H\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01451  1508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OHAPOCYDHIYGH.EXE"}, 11140016, ... ) }, 11140016, ... ) == 0x0
 01452  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OHAPOCYDHIYGH.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01453  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01454  1508   NtClose  (188, ... ) == 0x0
 01455  1508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11139996,  (0xc0100080, {24, 0, 0x40, 0, 11139996, "\??\C:\WINDOWS\SYSTEM32\OHAPOCYDHIYGH.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01456  1508   NtQueryInformationFile  (-1, 11140048, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01457  1508   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01458  1508   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OHAPOCYDHIYGH.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01459  1508   NtSetInformationFile  (188, 11139992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01460  1508   NtClose  (188, ... ) == 0x0
 01461  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01132  1512   NtDelayExecution  ... ) == 0x0
 01462  1512   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01463  1512   NtSetValueKey  (188,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01464  1512   NtSetInformationFile  (-2147482732, -108341452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01465  1512   NtSetInformationFile  (-2147482732, -108341488, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01466  1512   NtSetInformationFile  (-2147482732, -108341544, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01467  1512   NtSetInformationFile  (-2147482732, -108341852, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01463  1512   NtSetValueKey  ... ) == 0x0
 01468  1512   NtClose  (188, ... ) == 0x0
 01469  1512   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 188, ) }, ... 188, ) == 0x0
 01470  1512   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01471  1512   NtClose  (188, ... ) == 0x0
 01472  1512   NtAllocateVirtualMemory  (-1, 12177408, 0, 4096, 4096, 260, ... 12177408, 4096, ) == 0x0
 01473  1512   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01474  1512   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 188, 2, ) }, 0, 0x0, 0, ... 188, 2, ) == 0x0
 01475  1512   NtQueryDefaultUILanguage  (12185940, ...
 01476  1512   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01477  1512   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482028, ) == 0x0
 01478  1512   NtQueryInformationToken  (-2147482028, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01479  1512   NtClose  (-2147482028, ... ) == 0x0
 01480  1512   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482028, ) }, ... -2147482028, ) == 0x0
 01481  1512   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1512   NtOpenKey  (0x80000000, {24, -2147482028, 0x640, 0, 0,  (0x80000000, {24, -2147482028, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 01483  1512   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1512   NtClose  (-2147482024, ... ) == 0x0
 01485  1512   NtClose  (-2147482028, ... ) == 0x0
 01475  1512   NtQueryDefaultUILanguage  ... ) == 0x0
 01486  1512   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  1512   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01488  1512   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01489  1512   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xda0000), 0x0, 593920, ) == 0x0
 01490  1512   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491  1512   NtAllocateVirtualMemory  (-1, 12173312, 0, 4096, 4096, 260, ... 12173312, 4096, ) == 0x0
 01492  1512   NtQueryDefaultLocale  (1, 12183976, ... ) == 0x0
 01493  1512   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1512   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 12184832, 1, 96, 0}  (24, {128, 156, new_msg, 0, 12184832, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\271\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\341\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\271\0\0\0\0\0" ... {128, 156, reply, 0, 316, 1512, 2415, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\271\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\341\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\271\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 1512, 2415, 0}  (24, {128, 156, new_msg, 0, 12184832, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\271\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\341\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\271\0\0\0\0\0" ... {128, 156, reply, 0, 316, 1512, 2415, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\271\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\341\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\271\0\0\0\0\0" )  ) == 0x0
 01495  1512   NtClose  (192, ... ) == 0x0
 01496  1512   NtClose  (196, ... ) == 0x0
 01497  1512   NtUnmapViewOfSection  (-1, 0xda0000, ... ) == 0x0
 01498  1512   NtUnmapViewOfSection  (-1, 0xb9f400, ... ) == STATUS_NOT_MAPPED_VIEW
 01499  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01500  1512   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01502  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01503  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 12182516, ... ) }, 12182516, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01505  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01506  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01507  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 12183108, ... ) }, 12183108, ... ) == 0x0
 01508  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 196, {status=0x0, info=1}, ) }, 3, 33, ... 196, {status=0x0, info=1}, ) == 0x0
 01509  1512   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01510  1512   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01511  1512   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 4096, 4, ... 14286848, 262144, ) == 0x0
 01512  1512   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01513  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12185800, ... ) }, 12185800, ... ) == 0x0
 01514  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01515  1512   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 01516  1512   NtClose  (200, ... ) == 0x0
 01517  1512   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xde0000), 0x0, 229376, ) == 0x0
 01518  1512   NtClose  (204, ... ) == 0x0
 01519  1512   NtUnmapViewOfSection  (-1, 0xde0000, ... ) == 0x0
 01520  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12186116, ... ) }, 12186116, ... ) == 0x0
 01521  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01522  1512   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01523  1512   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01524  1512   NtClose  (204, ... ) == 0x0
 01525  1512   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01526  1512   NtClose  (200, ... ) == 0x0
 01527  1512   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01528  1512   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01529  1512   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01530  1512   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01531  1512   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12185916, ... ) }, 12185916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533  1512   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 12185916, ... ) }, 12185916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 12185916, ... ) }, 12185916, ... ) == 0x0
 01535  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01536  1512   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01537  1512   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01538  1512   NtClose  (204, ... ) == 0x0
 01539  1512   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01540  1512   NtClose  (208, ... ) == 0x0
 01541  1512   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01542  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01543  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544  1512   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545  1512   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546  1512   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  1512   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  1512   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01549  1512   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  1512   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551  1512   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552  1512   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553  1512   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554  1512   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555  1512   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556  1512   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  1512   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558  1512   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559  1512   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560  1512   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  1512   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562  1512   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  1512   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  1512   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565  1512   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566  1512   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567  1512   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  1512   NtQueryValueKey  (204,  (204, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569  1512   NtQueryValueKey  (208,  (208, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570  1512   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571  1512   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572  1512   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573  1512   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574  1512   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  1512   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576  1512   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577  1512   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578  1512   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579  1512   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580  1512   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1512   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582  1512   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583  1512   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584  1512   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585  1512   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586  1512   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587  1512   NtQueryValueKey  (204,  (204, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588  1512   NtQueryValueKey  (204,  (204, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589  1512   NtQueryValueKey  (204,  (204, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590  1512   NtQueryValueKey  (204,  (204, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591  1512   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01592  1512   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593  1512   NtClose  (212, ... ) == 0x0
 01594  1512   NtClose  (208, ... ) == 0x0
 01595  1512   NtClose  (204, ... ) == 0x0
 01596  1512   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01597  1512   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598  1512   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599  1512   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600  1512   NtClose  (204, ... ) == 0x0
 01601  1512   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01602  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 208, ) == 0x0
 01603  1512   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01604  1512   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12186392, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12186392, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01605  1512   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127212, 1310720, 12186156, 2012750850}  (216, {128, 152, new_msg, 0, 127212, 1310720, 12186156, 2012750850} "\0\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\260&\25\0('\25\0\0\0\0\0 '\25\0H'\25\0\270(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\24\0\0\0\0\0&\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2417, 0} "\7\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\260&\25\0('\25\0\0\0\0\0 '\25\0H'\25\0\270(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\24\0\0\0\0\0&\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 1512, 2417, 0}  (216, {128, 152, new_msg, 0, 127212, 1310720, 12186156, 2012750850} "\0\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\260&\25\0('\25\0\0\0\0\0 '\25\0H'\25\0\270(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\24\0\0\0\0\0&\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2417, 0} "\7\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\260&\25\0('\25\0\0\0\0\0 '\25\0H'\25\0\270(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\4\24\0\0\0\0\0&\0\0\0\5\0\0\0" )  ) == 0x0
 01606  1512   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 0, 0, 0, 0, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 1512, 2418, 0} "\2P\375\177\1\00\300\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\31\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 1512, 2418, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 1512, 2418, 0} "\2P\375\177\1\00\300\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\31\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01607  1512   NtClose  (212, ... ) == 0x0
 01608  1512   NtClose  (216, ... ) == 0x0
 01609  1512   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01610  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01611  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612  1512   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01613  1512   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01614  1512   NtClose  (216, ... ) == 0x0
 01615  1512   NtClose  (212, ... ) == 0x0
 01616  1512   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01617  1512   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12186256, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12186256, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01618  1512   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127076, 1310720, 12186020, 2012750850}  (216, {128, 152, new_msg, 0, 127076, 1310720, 12186020, 2012750850} "\0\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\260&\25\0P'\25\0\0\0\0\0(\2\24\0@)\25\0@\0\0\0\0\0\0\0\0\0\24\0\350)\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2421, 0} "\7\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\260&\25\0P'\25\0\0\0\0\0(\2\24\0@)\25\0@\0\0\0\0\0\0\0\0\0\24\0\350)\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 1512, 2421, 0}  (216, {128, 152, new_msg, 0, 127076, 1310720, 12186020, 2012750850} "\0\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\260&\25\0P'\25\0\0\0\0\0(\2\24\0@)\25\0@\0\0\0\0\0\0\0\0\0\24\0\350)\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2421, 0} "\7\370\271\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\260&\25\0P'\25\0\0\0\0\0(\2\24\0@)\25\0@\0\0\0\0\0\0\0\0\0\24\0\350)\25\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01619  1512   NtRequestWaitReplyPort  (216, {44, 68, new_msg, 0, 316, 1512, 2418, 0}  (216, {44, 68, new_msg, 0, 316, 1512, 2418, 0} "\1P\0\0A\2\4\0\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 316, 1512, 2422, 0} "\2P\375\177\4\00\300\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 316, 1512, 2422, 0}  (216, {44, 68, new_msg, 0, 316, 1512, 2418, 0} "\1P\0\0A\2\4\0\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 316, 1512, 2422, 0} "\2P\375\177\4\00\300\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01620  1512   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 56, 0, 1, 0, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\271\0@\0\314wH&\25\0X\364\271\0\300\364\271\0\0\267\362v\300\364\271\0H&\25\0\1\0\0\0\3109\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 316, 1512, 2423, 0} "\10\364\271\0@\0\314wH&\25\0X\364\271\0\300\364\271\0\0\267\362v\300\364\271\0H&\25\0\1\0\0\0\3109\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 316, 1512, 2423, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\271\0@\0\314wH&\25\0X\364\271\0\300\364\271\0\0\267\362v\300\364\271\0H&\25\0\1\0\0\0\3109\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 316, 1512, 2423, 0} "\10\364\271\0@\0\314wH&\25\0X\364\271\0\300\364\271\0\0\267\362v\300\364\271\0H&\25\0\1\0\0\0\3109\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01621  1512   NtClose  (212, ... ) == 0x0
 01622  1512   NtClose  (216, ... ) == 0x0
 01623  1512   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01624  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01625  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626  1512   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01627  1512   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01628  1512   NtClose  (216, ... ) == 0x0
 01629  1512   NtClose  (212, ... ) == 0x0
 01630  1512   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01631  1512   NtQueryValueKey  (212,  (212, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632  1512   NtClose  (212, ... ) == 0x0
 01633  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12185800, ... ) }, 12185800, ... ) == 0x0
 01634  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01635  1512   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01636  1512   NtClose  (212, ... ) == 0x0
 01637  1512   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 16384, ) == 0x0
 01638  1512   NtClose  (216, ... ) == 0x0
 01639  1512   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01640  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12186116, ... ) }, 12186116, ... ) == 0x0
 01641  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01642  1512   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01643  1512   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01644  1512   NtClose  (216, ... ) == 0x0
 01645  1512   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01646  1512   NtClose  (212, ... ) == 0x0
 01647  1512   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 212, ) }, ... 212, ) == 0x0
 01648  1512   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01649  1512   NtClose  (212, ... ) == 0x0
 01650  1512   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01651  1512   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 216, ) }, ... 216, ) == 0x0
 01652  1512   NtQueryValueKey  (216,  (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01653  1512   NtClose  (216, ... ) == 0x0
 01654  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12185800, ... ) }, 12185800, ... ) == 0x0
 01655  1512   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01656  1512   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01657  1512   NtAllocateVirtualMemory  (-1, 4063232, 0, 4096, 4096, 4, ... 4063232, 4096, ) == 0x0
 01658  1512   NtAllocateVirtualMemory  (-1, 4067328, 0, 8192, 4096, 4, ... 4067328, 8192, ) == 0x0
 01659  1512   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01660  1512   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01661  1512   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12186076, 112, ... 220, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12186076, 112, ... 220, 0x0, 0x0, 0x0, 112, ) == 0x0
 01662  1512   NtRequestWaitReplyPort  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 12185840}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 12185840} "\0$\370w\240\367\271\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\350(\25\0\4\0\0\0\350(\25\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0PJ\25\0\270H\25\0(J\25\0\0\0\0\0\0\0\0\0\0\0\0\0PJ\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2426, 0} "\7$\370w\240\367\271\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\350(\25\0\377\377\377\377\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0PJ\25\0\270H\25\0(J\25\0\0\0\0\0\0\0\0\0\0\0\0\0PJ\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 316, 1512, 2426, 0}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 12185840} "\0$\370w\240\367\271\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\350(\25\0\4\0\0\0\350(\25\0\20\344\314w\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0PJ\25\0\270H\25\0(J\25\0\0\0\0\0\0\0\0\0\0\0\0\0PJ\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 316, 1512, 2426, 0} "\7$\370w\240\367\271\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\350(\25\0\377\377\377\377\350(\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0PJ\25\0\270H\25\0(J\25\0\0\0\0\0\0\0\0\0\0\0\0\0PJ\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01663  1512   NtRequestWaitReplyPort  (220, {104, 128, new_msg, 0, 316, 1512, 2422, 0}  (220, {104, 128, new_msg, 0, 316, 1512, 2422, 0} "\1P\0\0A\2\11\0\0\0\0\0S\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0 ...  ...
 01461  1508   NtDelayExecution  ... ) == 0x0
 01664  1508   NtEnumerateValueKey  (144, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01665  1508   NtClose  (144, ... ) == 0x0
 01666  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01447  1516   NtDelayExecution  ... ) == 0x0
 01667  1516   NtContinue  (13234856, 0, ...
 01668  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01666  1508   NtDelayExecution  ... ) == 0x0
 01669  1508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 144, {status=0x0, info=1}, ) }, 3, 16417, ... 144, {status=0x0, info=1}, ) == 0x0
 01670  1508   NtQueryDirectoryFile  (144, 0, 0, 0, 11139556, 616, BothDirectory, 1,  (144, 0, 0, 0, 11139556, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01671  1508   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 01672  1508   NtQueryDirectoryFile  (144, 0, 0, 0, 1395408, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 01673  1508   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01674  1508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 224, {status=0x0, info=1}, ) }, 3, 16417, ... 224, {status=0x0, info=1}, ) == 0x0
 01675  1508   NtQueryDirectoryFile  (224, 0, 0, 0, 11139496, 616, BothDirectory, 1,  (224, 0, 0, 0, 11139496, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01676  1508   NtQueryDirectoryFile  (224, 0, 0, 0, 1399512, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 01677  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01668  1516   NtDelayExecution  ... ) == 0x0
 01678  1516   NtContinue  (13234856, 0, ...
 01679  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01677  1508   NtDelayExecution  ... ) == 0x0
 01680  1508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\REPAIR\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01681  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 11139436, 616, BothDirectory, 1,  (228, 0, 0, 0, 11139436, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01682  1508   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01683  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1240}, ) == 0x0
 01684  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01685  1508   NtClose  (228, ... ) == 0x0
 01686  1508   NtDelayExecution  (0, {-5120000, -1}, ... ) == 0x0
 01687  1508   NtDelayExecution  (0, {-10240000, -1}, ...
 01679  1516   NtDelayExecution  ... ) == 0x0
 01688  1516   NtContinue  (13234856, 0, ...
 01689  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01687  1508   NtDelayExecution  ... ) == 0x0
 01690  1508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\INF\"}, 3, 16417, ... 228, {status=0x0, info=1}, ) }, 3, 16417, ... 228, {status=0x0, info=1}, ) == 0x0
 01691  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 11139436, 616, BothDirectory, 1,  (228, 0, 0, 0, 11139436, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01692  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3990}, ) == 0x0
 01693  1508   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 96, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01694  1508   NtDelayExecution  (0, {-20480000, -1}, ...
 01689  1516   NtDelayExecution  ... ) == 0x0
 01695  1516   NtContinue  (13234856, 0, ...
 01696  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01694  1508   NtDelayExecution  ... ) == 0x0
 01697  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 01698  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3986}, ) == 0x0
 01699  1508   NtDelayExecution  (0, {-81920000, -1}, ...
 01696  1516   NtDelayExecution  ... ) == 0x0
 01700  1516   NtContinue  (13234856, 0, ...
 01701  1516   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01702  1516   NtContinue  (13234856, 0, ...
 01703  1516   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01704  1516   NtContinue  (13234856, 0, ...
 01705  1516   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01706  1516   NtContinue  (13234856, 0, ...
 01707  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01699  1508   NtDelayExecution  ... ) == 0x0
 01708  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 01709  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4078}, ) == 0x0
 01710  1508   NtQueryDirectoryFile  (228, 0, 0, 0, 1403712, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4066}, ) == 0x0
 01711  1508   NtDelayExecution  (0, {-81920000, -1}, ...
 01663  1512   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 316, 1512, 2427, 0}  ... {44, 68, reply, 0, 316, 1512, 2427, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 01712  1512   NtClose  (216, ... ) == 0x0
 01713  1512   NtClose  (220, ... ) == 0x0
 01714  1512   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01715  1512   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01716  1512   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01717  1512   NtQueryValueKey  (220,  (220, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01718  1512   NtClose  (220, ... ) == 0x0
 01719  1512   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01720  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 12186836, ... ) }, 12186836, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01721  1512   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 12186836, ... ) }, 12186836, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722  1512   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 12186836, ... ) }, 12186836, ... ) == 0x0
 01723  1512   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01724  1512   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 216, ) == 0x0
 01725  1512   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01726  1512   NtClose  (220, ... ) == 0x0
 01727  1512   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01728  1512   NtClose  (216, ... ) == 0x0
 01729  1512   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01730  1512   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01731  1512   NtDeviceIoControlFile  (216, 220, 0x0, 0x0, 0xf14014,  (216, 220, 0x0, 0x0, 0xf14014, "\3\0\0\0www.microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 01732  1512   NtClose  (220, ... ) == 0x0
 01733  1512   NtClose  (216, ... ) == 0x0
 01734  1512   NtDelayExecution  (0, {1770094592, -2}, ...
 01707  1516   NtDelayExecution  ... ) == 0x0
 01735  1516   NtContinue  (13234856, 0, ...
 01736  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01225   388   NtUserWaitForInputIdle  ... ) == 0x102
 01737   388   NtClose  (116, ... ) == 0x0
 01738   388   NtClose  (120, ... ) == 0x0
 01739   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01740   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01741   388   NtDelayExecution  (0, {-10000000, -1}, ...
 01736  1516   NtDelayExecution  ... ) == 0x0
 01742  1516   NtContinue  (13234856, 0, ...
 01743  1516   NtDelayExecution  (0, {-20480000, -1}, ...
 01741   388   NtDelayExecution  ... ) == 0x0
 01744   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "9ec754a20fe66d46a39824016be8058a92b8"}, 0, ... 120, ) }, 0, ... 120, ) == 0x0
 01745   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01746   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238208, ... ) }, 1238208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238208, ... ) }, 1238208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238208, ... ) }, 1238208, ... ) == 0x0
 01749   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01750   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 216, ) == 0x0
 01751   388   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01752   388   NtClose  (116, ... ) == 0x0
 01753   388   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01754   388   NtClose  (216, ... ) == 0x0
 01755   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 216, ) }, ... 216, ) == 0x0
 01756   388   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01757   388   NtClose  (216, ... ) == 0x0
 01758   388   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 216, ) == 0x0
 01759   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 01760   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 220, ) }, ... 220, ) == 0x0
 01761   388   NtNotifyChangeKey  (220, 116, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01762   388   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01763   388   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 232, ) == 0x0
 01764   388   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01765   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1238212, ... ) }, 1238212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1238212, ... ) }, 1238212, ... ) == 0x0
 01769   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01770   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01771   388   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01772   388   NtClose  (240, ... ) == 0x0
 01773   388   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01774   388   NtClose  (244, ... ) == 0x0
 01775   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237408, ... ) }, 1237408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237408, ... ) }, 1237408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237408, ... ) }, 1237408, ... ) == 0x0
 01779   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01780   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 240, ) == 0x0
 01781   388   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01782   388   NtClose  (244, ... ) == 0x0
 01783   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01784   388   NtClose  (240, ... ) == 0x0
 01785   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01786   388   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14548992, 262144, ) == 0x0
 01787   388   NtAllocateVirtualMemory  (-1, 14548992, 0, 4096, 4096, 4, ... 14548992, 4096, ) == 0x0
 01788   388   NtAllocateVirtualMemory  (-1, 14553088, 0, 8192, 4096, 4, ... 14553088, 8192, ) == 0x0
 01789   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01790   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01791   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   388   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1238216, ... ) }, 1238216, ... ) == 0x0
 01795   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01796   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 244, ) == 0x0
 01797   388   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01798   388   NtClose  (240, ... ) == 0x0
 01799   388   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01800   388   NtClose  (244, ... ) == 0x0
 01801   388   NtAllocateVirtualMemory  (-1, 3293184, 0, 8192, 4096, 4, ... 3293184, 8192, ) == 0x0
 01802   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01803   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 01804   388   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01805   388   NtClose  (244, ... ) == 0x0
 01806   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 244, ) }, ... 244, ) == 0x0
 01807   388   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   388   NtClose  (244, ... ) == 0x0
 01809   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 244, ) }, ... 244, ) == 0x0
 01810   388   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01811   388   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01812   388   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01813   388   NtQueryValueKey  (244,  (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 01814   388   NtClose  (244, ... ) == 0x0
 01815   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 244, ) }, ... 244, ) == 0x0
 01816   388   NtQueryValueKey  (244,  (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01817   388   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01818   388   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01819   388   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01820   388   NtQueryValueKey  (244,  (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (244, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 01821   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237768, ... ) }, 1237768, ... ) == 0x0
 01822   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01823   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 248, ) == 0x0
 01824   388   NtClose  (240, ... ) == 0x0
 01825   388   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01826   388   NtClose  (248, ... ) == 0x0
 01827   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01828   388   NtQuerySystemInformation  (KernelDebugger, 2, ... {system info, class 35, size 2}, 0xffffffff, ) == 0x0
 01829   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238656, ... ) }, 1238656, ... ) == 0x0
 01830   388   NtQueryFullAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1239324, ... ) }, 1239324, ... ) == 0x0
 01831   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239180,  (0x80100080, {24, 0, 0x40, 0, 1239180, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01832   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01833   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01834   388   NtQueryDefaultLocale  (1, 1238988, ... ) == 0x0
 01835   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01836   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01837   388   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01838   388   NtQueryInformationFile  (248, 1239232, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01839   388   NtSetInformationFile  (248, 1239232, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01840   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01841   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01842   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01843   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01844   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01845   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01846   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01847   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01848   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01849   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01850   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01851   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01852   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01853   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01854   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01855   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01856   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01857   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01858   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01859   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01860   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01861   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01862   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01863   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01864   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01865   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01866   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01867   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01868   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01869   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01870   388   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01871   388   NtQueryInformationFile  (248, 1239232, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01872   388   NtSetInformationFile  (248, 1239232, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01873   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\1\0\0P\1\0\0>\371\230\274_\256\254\300\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0", ) , ) == 0x0
 01874   388   NtReadFile  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208},  (248, 0, 0, 0, 1208, 0x0, 0, ... {status=0x0, info=1208}, "\337:J;i;\266;\300;\317;\365;\3<\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939", ) == 0x0
 01875   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01876   388   NtClose  (240, ... ) == 0x0
 01877   388   NtClose  (248, ... ) == 0x0
 01878   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1237712, ... ) }, 1237712, ... ) == 0x0
 01879   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01880   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 248, ... 240, ) == 0x0
 01881   388   NtClose  (248, ... ) == 0x0
 01882   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 135168, ) == 0x0
 01883   388   NtClose  (240, ... ) == 0x0
 01884   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01885   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1238028, ... ) }, 1238028, ... ) == 0x0
 01886   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 01887   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 248, ) == 0x0
 01888   388   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01889   388   NtClose  (240, ... ) == 0x0
 01890   388   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xffd0000), 0x0, 139264, ) == 0x0
 01891   388   NtClose  (248, ... ) == 0x0
 01892   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01893   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01894   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01895   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01896   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01897   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01898   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01899   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01900   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01901   388   NtProtectVirtualMemory  (-1, (0xffd1000), 492, 4, ... (0xffd1000), 4096, 32, ) == 0x0
 01902   388   NtProtectVirtualMemory  (-1, (0xffd1000), 4096, 32, ... (0xffd1000), 4096, 4, ) == 0x0
 01903   388   NtFlushInstructionCache  (-1, 268242944, 492, ... ) == 0x0
 01904   388   NtAllocateVirtualMemory  (-1, 1413120, 0, 20480, 4096, 4, ... 1413120, 20480, ) == 0x0
 01905   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01906   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01907   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01908   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01909   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01910   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01911   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01912   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01913   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01914   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01915   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01916   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01917   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01918   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01919   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01920   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01921   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01922   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01923   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01924   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01925   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01926   388   NtQueryDefaultLocale  (1, 1236880, ... ) == 0x0
 01927   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236980, ... ) }, 1236980, ... ) == 0x0
 01928   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237712,  (0x80100080, {24, 0, 0x40, 0, 1237712, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01929   388   NtQueryVolumeInformationFile  (248, 1237872, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01930   388   NtQueryInformationFile  (248, 1237764, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01931   388   NtQueryInformationFile  (248, 1238056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01932   388   NtClose  (248, ... ) == 0x0
 01933   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1236472, ... ) }, 1236472, ... ) == 0x0
 01934   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237204,  (0x80100080, {24, 0, 0x40, 0, 1237204, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 01935   388   NtQueryVolumeInformationFile  (248, 1237364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01936   388   NtQueryInformationFile  (248, 1237256, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01937   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 240, ) == 0x0
 01938   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 135168, ) == 0x0
 01939   388   NtQueryDefaultLocale  (1, 1237344, ... ) == 0x0
 01940   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01941   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01942   388   NtQueryDefaultLocale  (1, 1237344, ... ) == 0x0
 01943   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01944   388   NtQueryVirtualMemory  (-1, 0xe20000, Basic, 28, ... {BaseAddress=0xe20000,AllocationBase=0xe20000,AllocationProtect=0x2,RegionSize=0x21000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01945   388   NtReadFile  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336},  (248, 0, 0, 0, 336, 0x0, 0, ... {status=0x0, info=336}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\264\336V\215\360\2778\336\360\2778\336\360\2778\336\275\234$\336\377\2778\3369\235\22\336\365\2778\336\360\2779\336q\2778\336\12\234!\336\371\2778\336\360\2778\336\362\2778\336\12\234x\336\363\2778\336\12\234\7\336\361\2778\336g\234}\336\361\2778\336*\234%\336\361\2778\336*\234$\336\376\2778\336\12\234\5\336\361\2778\336Rich\360\2778\336\0\0\0\0\0\0\0\0PE\0\0L\1\4\0.FQ;\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\300\1\0\0@\0\0\0\0\0\0\340\367\0\0\0\20\0\0\0\320\1\0\0\0\375\17\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0 \2\0\0\4\0\0", ) , ) == 0x0
 01946   388   NtQueryInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01947   388   NtSetInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01948   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\314\1\0\273\2\0\0\304\301\1\0d\0\0\0\0\0\2\08\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\0\0\12\0\0\360\21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\354\1\0\0\274\277\1\0\340\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\33\277\1\0\0\20\0\0\0\300\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0(%\0\0\0\320\1\0\0$\0\0\0\304\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\08\14\0\0\0\0\2\0\0\16\0\0\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.reloc\0\0R\13\0\0\0\20\2\0\0\14\0\0\0\366\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01949   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", )  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "*\305\357\357\345O\252\252\26\355\373\373\305\206CC\327\232MMUf33\224\21\205\205\317\212EE\20\351\371\371\6\4\2\2\201\376\177\177\360\240PPDx<<\272%\237\237\343K\250\250\363\242QQ\376]\243\243\300\200@@\212\5\217\217\255?\222\222\274!\235\235Hp88\4\361\365\365\337c\274\274\301w\266\266u\257\332\332cB!!0 \20\20\32\345\377\377\16\375\363\363m\277\322\322L\201\315\315\24\30\14\145&\23\23/\303\354\354\341\276__\2425\227\227\314\210DD9.\27\27W\223\304\304\362U\247\247\202\374~~Gz==\254\310dd\347\272]]+2\31\31\225\346ss\240\300``\230\31\201\201\321\236OO\177\243\334\334fD""~T**\253;\220\220\203\13\210\210\312\214FF)\307\356\356\323k\270\270<(\24\24y\247\336\336\342\274^^\35\26\13\13v\255\333\333;\333\340\340Vd22Nt::\36\24\12\12\333\222II\12\14\6\6lH$$\344\270\\]\237\302\302n\275\323\323\357C\254\254\246\304bb\2509\221\221\2441\225\2257\323\344\344\213\362yy2\325\347\347C\213\310\310Yn77\267\332mm\214\1\215\215d\261\325\325\322\234NN\340I\251\251\264\330ll\372\254VV\7\363\364\364%\317\352\352\257\312ee\216\364zz\351G\256\256\30\20\10\10\325o\272\272\210\360xxoJ%%r\..$8\34\34\361W\246\246\307s\264\264Q\227\306\306#\313\350\350|\241\335\335\234\350tt!>\37\37\335\226KK\334a\275\275\206\15\213\213\205\17\212\212\220\340ppB|>>\304q\265\265\252\314ff\330\220HH\5\6\3\3\1\367\366\366\22\34\16\16\243\302aa_j55\371\256WW\320i\271\271\221\27\206\206X\231\301\301", ) , ) == 0x0
 01950   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) \340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) G\351d\304\250\374\214\32\240\360?\330V},\357 (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\351|B\17\311\370\204\36\0\0\0\0\203\11\200\206H2+\355\254\36\21pNlZr\373\375\16\377V\17\2058\36=\256\325'6-9d\12\17\331!h\\246\321\233[T:$6.\261\14\12g\17\223W\347\322\264\356\226\236\33\233\221O\200\300\305\242a\334 iZwK\26\34\22\32\12\342\223\272\345\300\240*C<"\340\35\22\33\27\13\16\11\15\255\362\213\307\271-\266\250\310\24\36\251\205W\361\31L\257u\7\273\356\231\335\375\243\177`\237\367\1&\274\r\365\305Df;4[\373~v\213C)\334\313#\306h\266\355\374c\270\344\361\312\3271\334\20Bc\205@\23\227" \204\306\21}\205J$\370\322\273=\21\256\3712m\307)\241K\35\236/\363\334\2620\354\15\206R\320w\301\343l+\263\26\231\251p\271\372\21\224H"G\351d\304\250\374\214\32\240\360?\330V},\357"3\220\307\207IN\301\3318\321\376\214\312\2426\230\324\13\317\246\365\201(\245z\336&\332\267\216\244?\255\277\344,:\235\15Px\222\233j_\314bT~F\302\366\215\23\350\220\330\270^.9\367\365\202\303\257\276\237]\200|i\320\223\251o\325-\263\317%\22;\310\254\231\247\20\30}n\350\234c{\333;\273\11\315&x\364nY\30\1\354\232\267\250\203O\232e\346\225n~\252\377\346\10!\274\317\346\357\25\350\331\272\347\233\316Jo6\324\352\237\11\326)\260|\2571\244\2621*?#0\306\245\224\3005\242f7tN\274\246\374\202\312\260\340\220\320\253\247\330J\361\4\230\367A\354\332\16\177\315P/\27\221\366\215vM\326MC\357\260T\314\252M\337\344\226\4\343\236\321\265\33Lj\210\270\301,\37\177FeQ\4\235^\352]\1\2145s\372\207t.\373\13AZ\263g\35R\222\333\322", ) , ) == 0x0
 01951   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "p\3252\266m\307)\241f\311 \254W\343\37\217\\355\26\202A\377\15\225J\361\4\230#\253s\323(\245z\3365\267a\311>\271h\304\17\223W\347\4\235^\352\31\217E\375\22\201L\360\313;\253k\3005\242f\335'\271q\326)\260|\347\3\217_\354\15\206R\361\37\235E\372\21\224H\223K\343\3\230E\352\16\205W\361\31\216Y\370\24\277s\3077\264}\316:\251o\325-\242a\334 \366\255vm\375\243\177`\340\261dw\353\277mz\332\225RY\321\233[T\314\211@C\307\207IN\256\335>\5\245\3237\10\270\301,\37\263\317%\22\202\345\321\211\353\23<\224\371\10+\237\367\1&FM\346\275MC\357\260PQ\364\247[_\375\252ju\302\211a{\313\204|i\320\223wg\331\236\36=\256\325\253\247\330\10!\274\317\3/\265\3022\5\212\3419\13\203\354$\31\230\373/\27\221\366\215vM\326\206xD\333\233j_\314\220dV\301\241Ni\342\252@`\357\267R{\370\274\r\365\325\6\5\276\336\10\14\263\303\32\27\244\310\24\36\251\371>!\212\3620(\207\357"3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) 3\220\344,:\235=\226\335\66\230\324\13+\212\317\34 \204\306\21\21\256\3712\32\240\360?\7\262\353(\14\274\342%e\346\225nn\350\234cs\372\207tx\364\216yI\336\261ZB\320\270W_\302\243@T\314\252M\367A\354\332\374O\345\327\341]\376\300\352S\367\315\333y\310\356\320w\301\343\315e\332\364\306k\323\371\2571\244\262\244?\255\277\271-\266\250\262#\277\245\203\11\200\206\210\7\211\213\225\25\222\234\236\33\233\221G\241|\12L\257u\7Q\275n\20Z\263g\35k\231X>`\227Q3}\205J$v\213C)\37\3214b\24\337=o\11\315&x\2\303/u3\351\20V8\347\31[", ) == 0x0
 01952   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\200\20\0\0\200\0\0\20\0\20@\20\0\0\0\0\200\0@\20\0\20\0\0\200\20@\0\0\20@\20\0\0\0\0\0\20\0\20\200\0@\20\0\20@\0\200\0\0\20\200\20\0\0\0\0@\0\0\0\0\20\0\20\0\20\200\0@\20\200\20\0\0\200\20@\20\0\0@\0\0\0@\0\0\20\0\20\200\0\0\20\200\20@\20\0\20\0\0\200\20@\0\200\0@\20\200\20\0\20\200\20@\20\0\20\0\20\0\0@\0\0\0\0\0\0\0@\20\200\0\0\0\0\20\0\20\0\20@\0\200\0\0\0\0\0@\20\200\20\0\20\200\0@\0\200\20@\0\200\0\0\0\0\0\0\20\0\0@\20\0\0\0\20\200\20@\0\200\20\0\0\0\20@\20\0\20@\0\0\20\0\20\200\0\0\0\200\0@\20\200\0@\20\0\0\0\0\0\20@\0\200\20\0\1\0\0\4\0\1\4\4\0\1\0\0\1\1\0\4\1\0\4\0\0\0\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\4\0\0\0\4\4\1\0\0\0\1\1\4\4\1\1\0\0\1\0\0\0\1\0\4\4\0\0\0\0\1\0\4\0\0\1\4\4\0\1\0\0\1\1\0\0\1\1\4\4\0\0\4\0\1\0\0\4\1\0\4\4\0\1\0\4\1\1\4\0\0\0\4\4\0\1\4\0\0\0\0\0\0\0\0\4\1\1\4\0\0\1\4\4\0\1\0\0\1\0\0\0\0\0\4\0\1\1\0\0\1\0\4\0\0\0\4\4\1\1\0\4\0\0\0\0\0\1\4\4\0\1\4\0\1\0\4\4\1\0\4\0\0\0\0\4\1\1\4\4\1\0\0\0\1\1\4\0\1\0\0\4\0\0\0\4\1\1\4\4\0\0\4\0\0\1\0\4\1\1\0\4\0\1\4\0\0\1\0\4\0\0\0\0\1\0\4\4\1\1\0\0\1\0\0\4\1\1\4\0\0\1\0\0\0\0\4\4\10\20@\0\0\20\0\20\10\0\0\0\10\20@\20", ) , ) == 0x0
 01953   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "%\00\02\0h\0x\0%\00\02\0h\0x\0\0\0\0\0%\0l\0u\0\0\0S\0-\0%\0l\0u\0-\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0R\0S\0A\0\\0\0\0\0\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0C\0r\0y\0p\0t\0o\0\\0D\0S\0S\0\\0\0\0\0\0SeRestorePrivilege\0\0SeBackupPrivilege\0\0\0.DEFAULT\0\0\0\0Software\Microsoft\Cryptography\UserKeys\0\0\0\0Software\Microsoft\Cryptography\MachineKeys\0Software\Microsoft\Cryptography\DSSUserKeys\0*\0\0\0SeSecurityPrivilege\0OffloadModExpo\0\0ExpoOffload\0Software\Microsoft\Cryptography\Offload\0\377\377\377\377\337\261\376\17\343\261\376\17\0\0\0\0\377\377\377\377g\262\376\17k\262\376\17crypt32.dll\0#666\0\0\0\0#667\0\0\0\0RPCRT4.dll\0\377\0\0\0\0PSTOREC.", ) , ) == 0x0
 01954   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "V\350\216\376\377\377\205\300u\13Sj\1\377u\30\350o\205\0\0\213\3703\300\205\377\17\224\300\213\360\205\366u\36\205\333t\23\213C\14\205\300t\6P\350\367\20\1\0S\350\361\20\1\0W\377\25\230\21\375\17_\213\306^[]\302\24\09U\20\17\204L\1\0\0\215E\24Pj\2Q\377u\20\350\334\204\0\0\205\300\17\205*\1\0\0\213E\24\201x\4\6L\0\0\17\205%\1\0\0\213H\30\203\271`\3\0\0\0tQ\203x\140uK\2708\2\0\0P\211C\10\350a\20\1\0\213\370\205\377\211{\14u\10j\10_\351k\377\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213{\14\213E\24\213p\20j\14\201\307\10\2\0\0Y\363\245\3512\377\377\377\277\13\0\11\200\3515\377\377\377\213u\20;\362\17\204\263\0\0\0\215E\24Pj\2QV\350E\204\0\0\205\300\17\205\223\0\0\0\211s\20\351\0\377\377\377j$^V\350\351\17\1\0\205\300\211C\14t\212\211s\10\351\350\376\377\377\213}\20;\372tw\215E\24Pj\2QW\350\11\204\0\0\205\300u[\213E\24\203x`\1u]\203x\30\0u\16P\350\\26\0\0\205\300\17\205\276\376\377\377j(^V\350\234\17\1\0\205\300\17\204<\377\377\377\211C\14\211s\10\211{\20\203 \0\203`$\0\351\215\376\377\3779U\20t\36\215E\24Pj\2Q\377u\20\350\256\203\0\0\205\300t\25= \0\11\200\17\205u\376\377\377\277\3\0\11\200\351m\376\377\377\213M\24\213A\4=\1L\0\0t\15=\4L\0\0t\6\203y\140w\334\2708\4\0\0P\211C\10\350*\17\1\0\213\370\205\377\211{\14\17\204\305\376\377\377\213K\10\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213M", ) , ) == 0x0
 01955   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\205\300uC\353D\203x\14\20\3539\203x\14\30\35339t$\20u/\213@\14V\301\340\3P\213D$\20\213\200\200\1\0\0h\2f\0\0\3774\205(\362\376\17\350\6@\1\0\205\300t\13\353\6\203x\14\10u\33\366F\213\306^\302\14\0U\213\354\203\354\14\213M\10\213Q\10VW\215z\7\215B\17\301\357\3j\10\203\347\7\301\350\4Z+\327\203\372\10\215t\300\14\211u\364\211U\370t\6\203\302\10\211U\370\321\352\211U\374\213U\14\205\322\17\204\12\1\0\0\213}\2097s\73\300\351\377\0\0\0\2131\2112\213q\10\211r\4\213q\20\211r\10\215q\24\213J\4\301\351\3\211u\10S\213\331\301\351\2\215z\14\211}\14\363\245\213\313\203\341\3\363\244\213J\4\301\351\3\1M\14\213u\370\3\361\1u\10\213u\10\213}\14\1E\14\213\310\213\331\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\1E\14\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213M\374\213}\14\3\310\1M\10\213u\10\213\310\301\351\2\363\245\213\313\203\341\3\363\244\213J\4\213U\10\213u\374\3\362\213U\14\301\351\3\3\360\215<\2\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213u\364[3\300@\213M\20_\2111^\311\302\14\0U\213\354\203\354\20\213U\10\201:RSA2t\73\300\351\35\2\0\0\213B\4SVW\215H\7\301\351\3j\10\203\341\7^+\361\203\376\10\211u\370t\6\203\306\10\211u\370\213\316\215X\17\301\350\3\321\351\215", ) , ) == 0x0
 01956   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "W\3509e\0\0\205\300j\4[t9\215E\34Pj\3VW\350%e\0\0\205\300t(\215E\34PSVW\350\25e\0\0\205\300t\30= \0\11\200u\12\271\3\0\11\200\351\34\3\0\0\213\310\351\25\3\0\0\213E\30\205\300u\10jWY\351\6\3\0\0\213M\20j\6Z;\312\17\2079\1\0\0\17\204\25\1\0\0I\17\204\342\0\0\0ItgItFIt%I\17\2058\1\0\0\213M\24\205\311\17\204\304\2\0\09\30\17\202\274\2\0\0\213U\34\213Rd\351\250\2\0\0\213M\24\205\311\17\204\246\2\0\09\30\17\202\236\2\0\0\213U\34\213R`\351\212\2\0\0\213M\24\205\311\17\204\210\2\0\09\30\17\202\200\2\0\0\307\1\1\0\0\0\351n\2\0\0\213U\34\213J\4\201\371\2f\0\0t.\201\371\1h\0\0t&\201\371\1f\0\0t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205)\377\377\377\203 \03\311\351E\2\0\0\213}\24\205\377t\37\213J@9\10r\30\213\331\301\351\2\215rD\363\245\213\313\203\341\3\363\244\213J@\211\10\353\323\213J@\367\337\33\377\201\347\352\0\0\0\211\10\213\317\351\11\2\0\0\213}\24\205\377\213U\34t\35\213Jx9\10r\26\213\331\301\351\2\215r\34\363\245\213\313\203\341\3\363\244\213Jx\353\277\213Jx\353\301\213M\24\205\311\17\204\306\1\0\09\30\17\202\276\1\0\0\213U\34\213Rh\351\252\1\0\0\203\351\7\17\204\220\1\0\0I\17\204\376\0\0\0I\17\204\217\0\0\0\203\351\12t\12\271\12\0\11\200\351\231\1\0\0\213}\34\213O\4\201\371\2f\0\0\276\1f\0\0t\30;\316t\24\201\371\3f\0\0t\14\201\371\11f\0\0\17\205H\376\377\377\213M\24\205\311\17\204", ) , ) == 0x0
 01957   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215M\374Qj\2\377u\10\377p\20\350.U\0\0\205\300\17\205\237\2\0\0\213E\374\213@x\351\320\3\0\0Q\350\315\376\377\377\351\305\3\0\0\276\10\0\11\200\351\317\3\0\0\213E\34\213P\4\213\312\201\351\5\200\0\0\17\204U\2\0\0\203\351\3\17\204\14\2\0\0It)IS\377u\24\377p\14t\30\377p\24R\350Q\375\377\377;\307\17\204\204\3\0\0\213\360\351\215\3\0\0\3504{\0\0\353\352\366@\34\2\17\205\275\1\0\0\215M\10Q\215M\324Q\377p\14\307E\10\24\0\0\0\377p\24\377p\30\350\24\375\377\377;\307u\307\215E\374P\213E\34j\2V\377p\20\350\200T\0\0;\307\17\205\361\1\0\0\213E\374\213@\14j@_;\307v\177\215E\354P\215E\360P\213E\34\377p\30\350\255\315\377\377\205\300u\211\213E\374\377p\14\377p\20\213E\34\377u\360\377p\30\350\11\321\377\377\205\300\17\205j\377\377\377W\350\354\337\0\0\205\300\211E\370t[\215M\30QP\377u\360\213E\34j\0\377p\30\211}\30\350\216\374\377\377\205\300\17\205=\377\377\3773\311\213U\34\213R(\213E\370\212\24\12\3\3010\20A;\317r\353\211}\30\353a\213M\34\213I,;\301\211M\30r\3\211E\30\377u\30\350\221\337\0\0\205\300\211E\370u\10j\10^\351\216\2\0\0\213E\34\213H,\213p(\213}\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244\213M\3743\3009A\14v\26\213I\20\213U\370\212\14\1\3\3200\12\213M\374@;A\14r\352\215E\350P\215E\364P\213E\34\377p\30\350\315\314\377\377\205\300\17\205\245\376\377\377\377u\30\213E\34\377u\370\377u\364\377p\30\350(\320\377\377\205\300\17\205\211\376\377\377\377u\10\215E\324P\377u", ) , ) == 0x0
 01958   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300u\36\203}`\5u\34\366Ex\20u\26\205\333u\22\3776\377ul\350\352\371\377\377\205\300t\4\213\360\353\23\3663\300\205\366\17\224\3003\3339]D\213\370t 9]Tt\13\377uT\377ul\350\271\312\377\3779]Xt\13\377uX\377ul\350\251\312\377\377;\373u\249]\t\10\377u\\350Q\316\377\377V\377\25\230\21\375\17\213\307_^[\203\305d\311\302\24\0V\213t$\20V\377t$\20\350\304\363\377\377\205\300u%\213\6\203@@\10\213\6\213L$\10\213P@W\2139\211|\2<\213I\4\211L\2@\3776\350\371\326\377\377_^\302\14\0U\213\354\201\354\200\0\0\0SVW3\300\213u\14\211E\374\211E\360\211E\370\211E\364j\14Y\215}\264\363\253\2523\300j\14Y\215}\200\363\253\2523\300\215}\350\253\253\213F\4\277\1h\0\0;\307\272\16f\0\0\273\17f\0\0t/=\2f\0\0t(=\1f\0\0t!=\3f\0\0t\32=\11f\0\0t\23;\302t\17;\303t\13=\20f\0\0\17\205\327\2\0\0\213M\20\213I\4;\317t8\201\371\2f\0\0t0\201\371\1f\0\0t(\201\371\3f\0\0t \201\371\11f\0\0t\30;\312\17\204\254\2\0\0;\313t\14\201\371\20f\0\0\17\205\225\2\0\0;\312\17\204\224\2\0\0;\313\17\204\214\2\0\0\201\371\20f\0\0\17\204\200\2\0\0;\302\17\204x\2\0\0;\303\17\204p\2\0\0=\20f\0\0\17\204e\2\0\0\213]\10j\0VS\350\301\315\377\377\205\300\17\204J\2\0\0j\0\377u\20S\350\256\315\377\377\205\300\17\2047\2\0\0\213E\20\203x\30\0u\16P\350\310\325\377\377\205\300\17\205\15\1\0\0\213F\4;\307t\17=\2", ) , ) == 0x0
 01959   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\241\204\364\376\17\211E\204\213E\324\211E\200\215U\320Rj\0\213@\4\301\350\3PQ\377\266\200\1\0\0\350\273\276\377\377\205\300\17\204\\377\377\377\203}\320\0\17\204R\377\377\377\213\7\205\300t%P\350\347\300\0\0\203'\0\213E\234\203 \0\213E\220\3770\350\324\300\0\0\213E\220\203 \0\213E\224\203 \0\377u\234j\0\377u\224j\0\377u\324\3509\301\377\377\205\300\17\204\15\377\377\377\213E\234\3770\350t\300\0\0\211\7\205\300\17\204\224\376\377\377\213E\224\3770\350`\300\0\0\213M\220\211\1\205\300\17\204}\376\377\377\377u\234\3777\377u\224P\377u\324\350\365\300\377\377\205\300\17\204\311\376\377\377\17\266E\30\203\340\1\213M\214\211\1j\0j\1\213E\220\3770\3777\350\345-\0\0\211E\240\205\300uTPP\213E\220\3770\3777\350\320-\0\0\211E\240\205\300u?\366F\3\360u\329E\210\17\224\300P\377u\30\377u\204V\350T\22\0\0\211E\240\205\300u\37\377u\343\3009E\210\17\224\300@P\377u\10\350\344\311\377\377\205\300u\21\377\25\234\21\375\17\213\360\211u\244\203M\374\377\353\11\203M\374\3773\366\211u\3303\300\205\366\17\224\300\213\370\203}\310\0t\17\213E\334\5d\1\0\0P\377\25\214\21\375\17\203}\344\0t\10\377u\344\350\263\277\0\0\203}\324\0t\16\203}\270\0u\16\377u\324\350\237\277\0\0\203}\270\0t\6S\350\223\277\0\0\203}\330\0t\10\377u\330\350\22\275\377\377\205\377u\7V\377\25\230\21\375\17\213\307\350\204`\0\0\302\30\03\300@\303\213e\350jW^\203M\374\377\213]\264\351{\377\377\377\213K\4\201\371\0\244\0\0t\14\201\371\0$\0\0\17\205\254\374\377\377\213C\14\215P\7\301\352\3\203\342", ) , ) == 0x0
 01960   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\276\17\0\11\200\353\23\366\213E\370;\307t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3239}\374t\10\377u\374\350\376\260\0\0_\213\306^[\311\302\30\0U\213\354SV\213u\10W\213}\20\215^\34S\377u\20\203\347 W\377u\14\377v\4\350\334\310\0\0\213M\20\203\341\10\204\311t~=\26\0\11\200t\13\205\300ul\270\17\0\11\200\353eS\377u\14\350}\310\0\0\205\300uX\215\206\\1\0\0P\215\236<\1\0\0Sj\0\377u\20\377v\4\377v\\350\356\376\377\377=\26\0\11\200u\307\203;\0u,\205\377u\11\350Y\266\0\0\205\300u!\215F\34PW\215F`P\377v\4\307\206P\1\0\0\2\0\0\0\350g\314\0\0\205\300u\23\300_^[]\302\14\0\205\300u\14\307\206P\1\0\0\2\0\0\0\353\347\215\206\\1\0\0P\215\206<\1\0\0Pj\0\377u\20\377v\4\377u\14\350\177\376\377\377\205\300u\307S\377u\14\350\337\307\0\0\353\266U\213\354\203\354\20SVW3\3773\366\366E\20 \211}\364\211}\370\211}\374\211}\360t\1F\215E\14P\215E\360PW\215E\370P\215E\364P\377u\10\377u\14V\350\326\325\0\0;\307u[\215E\374Ph?\0\17\0W\377u\370\377u\364\3501\324\0\0;\307uB\215E\20P\377u\374\350\276\375\377\377\203}\20\1u\25V\377u\374hP\364\376\17\377u\10\350\1O\0\0;\307u\33\377u\370\377u\364\350\320\324\0\0;\307t\20\203\370\2u\7\273\26\0\11\200\353\6\213\330\353\23\333\213E\364;\307\2135\214\20\375\17t\21=\1\0\0\200t\12=\2\0\0\200t\3P\377\3269}\374t\5\377u\374\377\3269}\370t\10\377u\370\3507\257\0", ) , ) == 0x0
 01961   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\204\16\1\0\0\213\306+\326\212\10\210\14\2@:\313u\366\377u\364\2135\344\21\375\17\377\326Y\215E\314P\215E\344P\215E\340P\215E\334P\215E\330P\215E\324P\215E\20P\215E\354PSSS\377u\370\377\25\230\20\375\17;\303\17\205\274\0\0\0\213E\20\203\300\2P\350\235\240\0\0\211E\374\213E\20\203\300\2P\350\216\240\0\09]\374\211E\360\17\204\231\0\0\0;\303\17\204\221\0\0\09]\354\211]\14vT\213E\20\203\300\2\211E\350\215E\314PSSS\215E\350P\377u\374\377u\14\377u\370\377\25\224\20\375\17;\303u^\377u\374\377u\360\377\25t\21\375\17\377u\374\377\326Y\377u\364\377u\374\377\25d\21\375\17\205\300t\17\377E\14\213E\14;E\354r\2543\366\3534\215\267D\1\0\0\3776\350=\240\0\0S\377u\24\211\36\377u\360W\350'\366\377\377;\303u\15W\377u\10\350\350\373\377\377;\303t\317\213\360\353\3j\10^9]\370t\11\377u\370\377\25\214\20\375\179]\364t\10\377u\364\350\373\237\0\09]\374t\10\377u\374\350\356\237\0\09]\360t\10\377u\360\350\341\237\0\0_\213\306^[\311\302\20\0U\213\354\203\354\34S3\333V\211]\374\350C\244\0\0\367E\14\207\377\377\17t\12\276\11\0\11\200\351\317\3\0\0\213E\14\276\0\0\0\360#\306;\306W\213}\10\211E\370u\23\205\377t\17\200?\0t\12\276\11\0\11\200\351\246\3\0\0j\4\377u\24\377\25\\21\375\17\205\300t\10jW^\351\217\3\0\0\205\377t+\200?\0t+\213\307\215P\1\212\10@\204\311u\371+\302@\366E\14\10tj=\5\1\0\0vc\276\37\0\11\200\351`\3\0\09u\370tuj@^V\350\7\237\0", ) , ) == 0x0
 01962   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\375\173\333C\211]\330\213E\30\211E\274\215E\274P\215E\270P\215E\264P\350\215\202\0\0\205\300u\14\307E\300 \0\11\200\351\250\1\0\0\377u\264\350\305\220\0\0\211E\344\205\300u\14\307E\300\10\0\0\0\351\215\1\0\0\211]\334\377u\270\350\247\220\0\0\213\370\211}\340\205\377t\340\215\206`\1\0\0\2038\377t\20\211E\310\307E\314\277\303\375\17\215E\310\211E\324h\1\0\1\0\377u\30W\377u\344\377u\324\350\177~\0\0\205\300t\222SSW\377u\344\350'\376\377\377\211E\260\205\300\17\205-\1\0\0SPW\377u\344\350\21\376\377\377\211E\260\205\300\17\205\27\1\0\09E\20u2\215~@\211}\254\215\2368\1\0\0\211]\250\215F(\211E\244\215\2064\1\0\0\211E\240\215FH\211E\234\307E\230\1\0\0\0\241T\364\376\17\353-\215~L\211}\254\215\2360\1\0\0\211]\250\215F0\211E\244\215\206,\1\0\0\211E\240\215FT\211E\234\203e\230\0\241X\364\376\17\211E\224\213\7\205\300t\15P\350\374\217\0\0\3773\350\365\217\0\0\203e\334\0\213E\270\213M\240\211\1\213E\264\213M\244\211\1\213E\340\211\3\213E\344\211\7\17\266E\14\203\340\1\213M\234\211\1\366F\3\360u\26\377u\230\377u\14\377u\224V\350\361\341\377\377\211E\260\205\300uW\213}\24W\203}\20\0u\36j\2\377u\10\350\202\231\377\377\205\300u\10\377\25\234\21\375\17\3537\215E\320Pj\3\353\24j\1\377u\10\350d\231\377\377\205\300t\342\215E\320Pj\4\377u\10\3777\350|\3\0\0\211E\260\205\300t\23= \0\11\200u\3\203\300\343\211E\300\203M\374\377\3536\270\0@\0\0\205E\14t\15\213M\320\11A\10\213E\320\200Hi\1", ) , ) == 0x0
 01963   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "h\3\0\0V\350\362\200\0\0\213\370\205\377\211{\30u\10j\10X\3518\2\0\0\271\332\0\0\03\300\363\253\211s\24\213E\20\213{\30j\24Y;\301\17\2058\1\0\0\213u\24\213F\14\211\207d\3\0\0\213\6\203\350\0\17\204\244\0\0\0Ht\12\270\5\0\11\200\351\367\1\0\0\213F\10\250\7u\357\215M\374Qj\0\301\350\3P\377v\4\213E\10\377\260\200\1\0\0\350d~\377\377\205\300u\12\270\11\0\11\200\351\307\1\0\0\213F\4-\1f\0\0t\33Ht\30Ht\25\203\350\6t\20-\370\1\0\0u\252\203\247\\3\0\0\0\353\12\307\207\\3\0\0\10\0\0\0\201{\4\5L\0\0u\25\213F\10\301\350\3;C\14t\12\270\3\0\11\200\351z\1\0\0\213F\10\301\350\3\211\207P\3\0\0\213F\4\211\207H\3\0\0\351^\1\0\0\213F\4-\3\200\0\0t9H\17\205N\377\377\377\201{\4\4L\0\0u\24\211\217X\3\0\0\213F\10\301\350\3\211\207T\3\0\0\353A\201~\10\240\0\0\0\17\205$\377\377\377\211\217T\3\0\0\353,\201{\4\4L\0\0u\14\307\207X\3\0\0\20\0\0\0\353\310\201~\10\200\0\0\0\17\205\372\376\377\377\307\207T\3\0\0\20\0\0\0\213F\4\211\207L\3\0\0\351\341\0\0\0\203\350\25\17\204\253\0\0\0H\17\204\205\0\0\0\203\350\4t?Ht\12\270\12\0\11\200\351\301\0\0\0\213E\24\213\10\201\371\0\1\0\0\17\207\257\376\377\377\213[\4\201\373\4L\0\0t\10\201\373\5L\0\0u\322\211\217D\3\0\0\201\307D\2\0\0\353z\201{\4\4L\0\0u\273\213\207<\2\0\0\205\300t\6P\350O\177\0\0\213u\24\213\6P\211\207@\2\0\0\350\16\177\0\0\205\300\211\207<\2", ) , ) == 0x0
 01964   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\10\377u\354\377u\374\3770\350\352\370\377\377\205\300t\4\213\360\353\36\213M\350\213E\34\213u\364\213}\30\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366\377u\374\350\360p\0\0\203}\364\0t\10\377u\364\350\342p\0\0_\213\306^[\311\302\30\0U\213\354\203\354\20\213E\10\213@\14\203e\374\0SV\213u\20\213\16\211E\370\213\200,\3\0\0\215D\10\5P\211E\364\350|p\0\0\213\330\205\333u\10j\10^\351\245\0\0\0\213U\20\306\3\1f\307C\1sl\213\16\213u\14\213\301W\301\351\2\215{\3\363\245\213\310\203\341\3\363\244\213\2f\307D\30\3sl\213E\370\213\22\213\210,\3\0\0\215|\32\5\213\321\301\351\2\215\260,\2\0\0\363\245\213\312\203\341\3j\1\363\244\215M\360Q\215M\374Q\377p\10\213E\10\377u\364S\3770\350\0\370\377\377\205\300t\4\213\360\353\36\213M\360\213E\20\213u\374\213}\14\211\10\213\301\301\351\2\363\245\213\310\203\341\3\363\2443\366S\350\10p\0\0\203}\374\0_t\10\377u\374\350\371o\0\0\213\306^[\311\302\14\0U\213\354\203\354`SVW3\300j\6Y\215}\310\363\253\213E\20\213X\14\213M\143\366\270\3L\0\0+\310\211u\374\211u\360\211u\344\211u\350t!\203\351\4t\12\276\10\0\11\200\351c\1\0\0\213C\14\211E\370\213C\4\307E\360\1\0\0\0\353\6\213K\20\211M\370\213K\24\211E\364\213E\3703\322\215D\1\377\367\361\203\370\2\211E\354v\12\276 \0\11\200\351(\1\0\03\3009E\354v-\215x\1\215E\340P\215D5\240P\377u\360\377u\24W\377u\20\350\341\373\377\377\205\300\17\205\351\0\0\0\3u\340\213\307;E\354r\323\201}\14\7L\0\0u", ) , ) == 0x0
 01965   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\253\2533\3339]\24\253j\20_\211]\374\211}\354\211]\364t\1C\213u\10\215E\374P\377v\\3506\377\377\377\205\300t\4\213\360\353W\203}\20\2\213\206T\1\0\0\213H\4\213U\14u\33\203}\30\0t\5\213RH\353\3\213RD\215u\354WV\215p\30\203\300\10\353\31\203}\30\0t\5\213RP\353\3\213RL\215u\354WV\215p8\203\300(\377u\374\211U\370\213\21VPSQ\377R@3\366\203}\374\0t\10\377u\374\350\231`\0\0_\213\306^[\311\302\24\0U\213\354\201\354\210\1\0\0VWjb3\300Y\215\275x\376\377\377\363\253\213E\10\211\205\324\376\377\377\213E\20jP\211E\264\3502`\0\0\213\370\205\377\211}\314u\5j\10^\353WW\350j\373\377\377\205\300u\7\276 \0\11\200\353@\215\205x\376\377\377P\350\252\373\377\377\205\300u.P\377u\24\215\205x\376\377\377j\2\377u\14P\350\343\376\377\377\205\300u\25P\377u\24\215\205x\376\377\377j\1\377u\14P\350\312\376\377\377\213\360W\350\337\372\377\377_\213\306^\311\302\20\0U\213\354\203\354(\213E\10S\213X\4V\213p\10W\213}\14+x\14\213@\20\271\0\0\375\17+\371\301\377\2\3\361\213\26\3\331\215\204\270\0\0\375\17\213\10\205\311x\10\215\201\2\0\375\17\353\3\17\267\0\205\322\211E\374u^S\377\25l\21\375\17\213\370\205\377\211}\10t\j\0WV\377\25H\21\375\17\213\360\205\366u+j\10Y\215}\334\363\253\213E\10\211E\360\241\304\364\376\17\205\300\307E\330$\0\0\0\211]\344t\24\215M\330Qj\5\377\320\353\12W\377\25x\21\375\17\211u\10\203}\10\0t\21\213U\10\377u\374R\377\25p\21\375\17\205\300u\11\377u\374S\350\370\236", ) , ) == 0x0
 01966   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "3\3073\367\301\306\22\213\3763\360\201\346\17\0\360\3773\3763\306\301\307\14\213\3673\370\201\347\360\360\360\3603\3673\307\301\310\4\211\2\211r\4]_^[\302\20\0\213Ex3\333\213U|3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213Ep3\333\213Ut3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\363\213\2318S\375\173\363\213\2308P\375\173\363\213\2328Q\375\173\363\213Eh3\333\213Ul3\3063\326%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\375\213\2518N\375\173\375\212\316\301\350\20\213\2538M\375\173\375\212\334\301\352\20\213\2518O\375\173\375\213l$\34\212\316%\377\0\0\0\201\342\377\0\0\0\213\2338R\375\173\373\213\2318S\375\173\373\213\2308P\375\173\373\213\2328Q\375\173\373\213E`3\333\213Ud3\3073\327%\374\374\374\374\201\342\317\317\317\317\212\330\212\314\301\312\4\213\2538L\375\17\212\3323\365\213\2518N\375\173\365\212\316\301\350\20\213\2538M\375\173\365\212\334\301\352\20\213\2518O\375\173\365\213l$\34", ) , ) == 0x0
 01967   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320#\352#\301\3\305+\330\203\356\10\213l$\34\211t$ \213\302\213\361\203\340?\203\346?f\213DE\0f\213tu\0+\370+\326\213\303\213\367\203\340?\203\346?f\213DE\0f\213tu\0+\310+\336\213t$ f\301\317\5\213\302\213\352\203\360\377#\351#\303f\301\312\3\3\305+\370\213F\4\213\351+\320\301\350\20+\370\213\301\367\325#\303#\357\3\350f\301\311\2+\325\213\303\213\357\367\320#\353#\302f\321\313\3\305+\310\213\6\213\357+\330\301\350\20+\310\213\307\367\320", ) , ) == 0x0
 01968   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\301\356\30\212\236\3207\375\17\17\266\362\210X\3\212\236\3207\375\17\210X\4\17\266\315\212\211\3207\375\17\210H\5\213L$\34\301\351\20\17\266\311\212\211\3207\375\17\210H\6\213L$\30\301\351\30\212\211\3207\375\17\210H\7\213L$\30\211T$\24\17\266\361\212\236\3207\375\17\210X\10\17\266\326\212\222\3207\375\17\210P\11\17\266T$\22\212\222\3207\375\17\210P\12\17\266T$\37\212\222\3207\375\17\213\30\210P\13\17\266T$\34\212\222\3207\375\17\213p\4\210P\14\17\266\315\212\221\3207\375\17\17\266L$\26\210P\15\212\221\3207\375\17\17\266L$\23\210P\16\212\221\3207\375\17\210P\17\213\173\331\211\30\213W\43\362\213P\10\211p\4\213O\103\321\211P\10\213W\14\213H\14_^3\312]\211H\14[\203\304\20\302\20\0\213D$\20\213T$\4\203\370\1\213D$\14\213\10Qu\22\203\300\4P\213D$\20RP\350\275\370\377\377\302\20\0\5\364\0\0\0P\213D$\20RP\350I\374\377\377\302\20\0\220\220\220\220\220\220\213D$\10S\213\$\20VW\213|$\20S\215w\4VP\211\37\350\224\365\377\377\215\207\364\0\0\0S\213\370\271<\0\0\0P\363\245\350n\367\377\377_^[\302\14\0\220\220\220\220\220\220\220\220S3\3223\311V\213D$\24\213t$\14W\213\370\213\$\24U\212\216\0\1\0\0\213\353\212\226\1\1\0\0\205\333\17\204\17\1\0\0\301\353\2\203\340\3\205\333\17\204\326\0\0\0\205\300\17\205\316\0\0\0\213\307\215<\237\211|$\34\203\350\4\213\353\213x\4A3\300\201\341\377\0\0\0\212\4\16\3\320\201\342\377\0\0\0\212\34\26\210\34\16A\210\4\26\2\303\212\4\63\370\201\341\377\0\0\03\300\212\4\16\3\320\201\342\377", ) , ) == 0x0
 01969   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\215\4k\215\4\205\14\0\0\0=\0\2\0\0v$Pj\0\377\25<\21\375\17\205\300\211D$,u\15_^][\201\304$\2\0\0\302\24\0\211D$ \353\10\215L$4\211L$ \213T$ \215\14\255\0\0\0\0\215<\21\211|$\30\203\307\4\215\49\215P\4\211T$(\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213\264$8\2\0\0\213|$(\307\0\0\0\0\0\211D$0\215\4\235\0\0\0\0\213\310\213\321\301\351\2\363\245\213\312\203\341\3\363\244\213t$(+\335\307\40\0\0\0\0\211\$\34\17\2108\1\0\0\215\4\235\0\0\0\0\215\140\211L$$\213L$\30\203\301\4+\301\3\306\3\335\215\14\236\211D$\20\211L$\24\353\7\213L$\24\215I\0\203\375\1\213\264$<\2\0\0v\6\213D\256\370\353\23\300\213T\256\374P\213A\374\213\11RPQ\350\352\375\377\377\205\300u\5\270\1\0\0\0\213\$ UVPS\350T\26\0\0\213T$\30\211\2\205\355\213\375|\35\213t$$\213D$\30+\363\213\14\6\213\20;\321wbr\10O\203\350\4\205\377}\355\213|$$\215E\1PSWW\350\177\371\377\377\205\355\213\365|\34\213D$0\220\213L$\20\213\14\1\213\20;\312w\12rFN\203\350\4\205\366}\351\213\$\34\213t$\24\213D$\20\271\4\0\0\0C\3\361\3\371\3\301\211\$\34\211t$\24\211D$\20\353\35\215E\1P\213D$\34\203\300\4PSS\350$\371\377\377\351m\377\377\377\271\4\0\0\0\213D$\34\213\$\24\213T$\20H+\331+\371+\321\205\300\211D$\34\211\$\24\211|$$\211T$\20\17\215\364\376\377\377\213t$(\213\234$@\2\0\0\215\24\255\0\0\0\0\213", ) , ) == 0x0
 01970   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "L$$\215\14\301\211T$,\213T$t\211L$\24\215\14\201\211U\0\213D$pPU\211L$ \213L$lVQ\350\337\373\377\377\205\300u\33S\377\25|\21\375\17_^]3\300[\203\304P\302\24\0\353\6\215\233\0\0\0\0\213T$p\213D$dRUWP\350\257\373\377\377\205\300t\320\213L$\20QWV\350/\355\377\377\205\300t\333\213T$\20RWV\350\37\355\377\377\203\370\1t,\213D$\203\311\205\300v"3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) 3\300\213\24\206\211T$d\213\24\207\211\24\206\213T$dA\211\24\207\213T$\20\17\267\301;\302r\340\213D$\20\213L$ PWVQ\350-\355\377\377\213T$\20Rj\1S\350\240\352\377\377\213D$\20\213L$\30PSWQ\350\363\351\377\377\213T$\20\213D$\24RSVP\350\342\351\377\377\213L$\20\213T$\30\213D$\24QRPS\350\351\354\377\377\213L$\20\213D$$\215\24\11\213L$\34RSUPQP\350_\366\377\377\205\300\17\204\14\377\377\377\213D$\20\213L$\34P\215\24\0\213D$\30R\213T$0PQRS\350\11\361\377\377\213D$\20\213L$\30\213T$\34P\3\300P\213D$4QRPS\350\354\360\377\377\213L$\20\213T$0\213D$$QWVRPS\350\5\366\377\377\205\300S\17\204\262\376\377\377\213L$\24\213t$$\213|$8\3\311\363\245\213L$\24\213D$t\215\24\315\0\0\0\0\213L$l\211Q\4\3\300\213\320\211A\10\307\1RSA1\301\352\3J\211Q\14\213u\0\211q\20\213L$p\211A\10\211Q\14\213E\0\211A\20\377\25|\21\375\17\270\1\0\0\0_^][\203\304P\302\24\0\220\220\220\220\220\220\220\213D$\4\2018RS", ) == 0x0
 01971   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\337\377\377\205\300\17\204\262\0\0\0\213\224$P\1\0\0VSRWU\350\260\373\377\377\205\300\17\204\231\0\0\0\213D$\20VUPW\350\237\332\377\377\205\300t\33\215\244$\0\0\0\0\213\214$D\1\0\0VQWW\350@\332\377\377\205\300t\354\213\224$T\1\0\0\213\234$<\1\0\0VRWS\350\205\335\377\377\213D$\34VHP\213\204$L\1\0\0WPS\350\337\336\377\377\205\300t<\213\214$H\1\0\0VQWS\350[\335\377\377\213L$ \215<)\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\34PUSS\350\327\331\377\377\307D$\24\1\0\0\0\213L$$\213|$\20\213\321\301\351\23\300\363\253\213\312\203\341\3\363\252\213D$\30\205\300][t\7P\377\25|\21\375\17\213D$\14_^\201\304(\1\0\0\302 \0\220\220\220\220\220\220\220\377t$\4j\10\377\254\21\375\17P\377\258\21\375\17\302\4\0\377t$\10\377t$\10j\10\377\254\21\375\17P\377\250\21\375\17\302\10\0\203|$\4\0t\23\377t$\4j\10\377\254\21\375\17P\377\25\324\20\375\17\302\4\0U\213\354Q\203e\374\0V\215E\374Pj\1\377u\10\377\25\320\20\375\17P\377\25@\20\375\17\205\300u+\2135\234\21\375\17\377\326=\360\3\0\0u&\215E\374P\377u\10\377\25\314\20\375\17P\377\25D\20\375\17\205\300u\4\377\326\353\12\213E\14\213M\374\211\103\300^\311\302\10\0U\213\354SV\2135\340\362\376\17Wj\123\333_\353$\377\25\234\21\375\17\213\310\201\351\265\6\0\0t:\203\351\6u:\203\373\5s)W\377\25\240\21\375\17\3\377C\377u \377u\34\377u\30\377u\24\377u\20\377u\14\377u\10\377\326", ) , ) == 0x0
 01972   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\374\215\4@\215\4\3058\0\0\09\1s\12jz\211\1X\351\275\0\0\0SW\213=\260\21\375\17j\1ht]\375\17\377u\14\377\327\213\330\212\6\203\304\14\204\300u88F\1u3\17\266F\2\17\266N\3\301\340\10\3\301\17\266N\4\301\340\10\3\301\17\266N\5\301\340\10\3\301P\213E\14\215\4Xhl]\375\17P\377\327\203\304\14\353.\17\266N\5Q\17\266N\4Q\17\266N\3Q\17\266N\2Q\17\266N\1\17\266\300QP\213E\14\215\4Xh(]\375\17P\377\327\203\304 3\366\3\3309u\374v%V\377u\10\377\25\20\20\375\17\3770\213E\14\215\4Xh\30]\375\17P\377\327\203\304\14\3\330F;u\374r\333\213E\20C\211\30_3\300[^\311\302\14\0U\213\354Q\213E\20\203 \0\203e\374\0V\215E\374Pj\10\350T\360\377\377\205\300t\4\213\360\353b\213u\14S\213\35\34\20\375\17W\213}\10V\3776\3777j\1\377u\374\377\323\205\300u@\377\25\234\21\375\17\203\370zt\4\213\360\3533\3776\350\313\357\377\377\205\300\211\7u\5j\10^\353!\213M\203\300V@\211\1\3776\3777P\377u\374\377\323\205\300u\10\377\25\234\21\375\17\353\3133\366_[\203}\374\0t\11\377u\374\377\25\340\20\375\17\213\306^\311\302\14\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215E\370P\307E\364\0\1\0\0\3506\377\377\377\205\300\213u\370u\15\377u\14\377u\10\3776\350\3\375\377\377\203}\374\0\213\370t\12\205\366t\6V\350a\357\377\377\213\307_^\311\302\10\0U\213\354\201\354\14\1\0\0\203e\374\0V\215\205\364\376\377\377\211E\370W\215E\374P\215E\364P\215", ) , ) == 0x0
 01973   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\2S\377\326\213\370;\373u\12\377\25\234\21\375\17\213\360\353p\215D?\2P\350\336\340\377\377;\303\211Elu\5j\10^\353MWPj\377\377u|j\2S\377\326\205\300u\10\377\25\234\21\375\17\353/\377ul\377ux\350\23\370\377\377\205\300t$\215E\314P\377u|\350-\346\377\377;\303u\20\215E\314P\377ux\350\363\367\377\377;\303t\4\213\360\353\23\3669]lt\10\377ul\350\250\340\377\377_\213\306^[\203\305p\311\302\10\0U\215l$\224\201\354\254\0\0\0\203Md\377VW\215EhP\215E`P3\377W\377u|\211}h\377ut\211}`3\366\350\300\361\377\377;\307uG\377ux\377uh\350\363\376\377\377\205\300t?9}|t=\377uh\350M\340\377\377\215EhP\215E`PFV\377u|\211}h\377ut\350\210\361\377\377;\307u\17\377ux\377uh\350\273\376\377\377;\307t\12\213\360\351\204\0\0\03\366FSj(Y3\300\215}\300\363\253\215EdP\215E\300P\377ux\377uh\350e\365\377\377\213\35\340\20\375\17\3537\377ud\377\323\203Md\377\215E\300P\377uh\350\21\367\377\377\205\300u4j(Y\215}\300\363\253\215EdP\215E\300P\377ux3\366\377uhF\350&\365\377\377\205\300t\305\367\336\33\366\201\346\352\377\366\177\201\306\26\0\11\200\353\2\213\360\203}d\377t\5\377ud\377\323[\203}h\0t\10\377uh\350\211\337\377\377_\213\306^\203\305l\311\302\14\0U\213\354Q\203M\374\377VW\215E\374P\377u\14\377u\20h\0\0\0\200\377u\10\350\1\364\377\3773\366;\306t\17\203\370\2u"\277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) \277\26\0\11\200\351\307\0\0\0V\377u\374\377\25\364\20\375\17\203\370\377\211E\20", ) == 0x0
 01974   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\300^_\311\302\4\0\377\25\234\21\375\17\353\362U\213\354\203\354 V\213u\10\215E\350P\215E\364PV\377\25\10\20\375\17\205\300u\13\377\25\234\21\375\17\351\252\0\0\0SV\377\25\300\20\375\17P\211E\10\350\264\320\377\377\205\300\213]\14\211\3u\10j\10X\351\207\0\0\0\366E\365\200\17\204\203\0\0\0\213M\10W\213\370\213\301\301\351\2\363\245\213\310\203\341\3\363\244_\215E\344P\215E\374P\215E\360P\3773\377\25\274\20\375\17\205\300tf3\3669u\360t\219u\374t\14\377u\374\350\344\376\377\377;\306u8\215E\340P\215E\370P\215E\354P\3773\377\25\270\20\375\17\205\300t69u\354t\219u\370t\14\377u\370\350\266\376\377\377;\306u\12\213E\20\213M\10\211\103\300[^\311\302\14\0\215M\10QPV\377\25\264\20\375\17\205\300u\202\377\25\234\21\375\17\353\342U\213\354\203\354\20VW\215E\30P\215E\3743\377P\377u\30\211}\374\211}\364\211}\370\211}\360\350\353\376\377\377;\307u\30\215E\370P\215E\360PW\377u\20\377u\14\350C\341\377\377;\307t\4\213\360\353\177\213u\370SV\350\246\20\0\0\377u\10\213\330\321\343\350\232\20\0\0\321\340Y\211E\30Y\215D\30\2P\350\221\317\377\377;\307\211E\364u\5j\10^\353K\213\313\213\321\301\351\2\377u\374\213\370\363\245\377u\24\213\312\203\341\3\363\244\213M\30\213u\10\203\301\2\213\321\301\351\2\215<\3\363\245\213\312\203\341\3P\363\244\377\25\4\20\375\17\205\300u\12\377\25\234\21\375\17\213\360\353\23\3663\377[9}\374t\10\377u\374\350\\317\377\3779}\370t\10\377u\370\350O\317\377\3779}\364t\10\377u\364\350B\317\377\377_\213\306^\311\302\24\0U\213", ) , ) == 0x0
 01975   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\311\302\30\0\213D$\4\353\11;L$\10t\13\203\300X\213\10\205\311u\3613\300\302\10\0\377t$\10\377t$\10\350\331\377\377\377\213L$\14\205\311t\2\211\13\311\205\300\17\225\301\213\301\302\14\0\213D$\20\205\300u\21\377t$\10\377t$\10\350\256\377\377\377\205\300t\23\213L$\149H\10w\129H\14r\53\300@\353\23\300\302\20\0\213T$\20\213D$\14\203"\0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) \0\205\300u\21\377t$\10\377t$\10\350v\377\377\377\205\300t\10\213@\4\211\23\300@\302\20\0\270\370\362\376\17\351\0\0\0\0QRPh\334\277\376\17\350\203`\377\377ZY\377\340\270\364\362\376\17\351\345\377\377\377\270\374\362\376\17\351\333\377\377\377\270\354\362\376\17\351\0\0\0\0QRPh\374\277\376\17\350T`\377\377ZY\377\340\377%\354\362\376\17\314\377%D\21\375\17\314\314\314\314\314\314\314\314SV\213D$\30\13\300u\30\213L$\24\213D$\203\322\367\361\213\330\213D$\14\367\361\213\323\353A\213\310\213\$\24\213T$\20\213D$\14\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\360\367d$\30\213\310\213D$\24\367\346\3\321r\16;T$\20w\10r\7;D$\14v\1N3\322\213\306^[\302\20\0\314\314\314\314\314\314\314\314S\213D$\24\13\300u\30\213L$\20\213D$\143\322\367\361\213D$\10\367\361\213\3023\322\353P\213\310\213\$\20\213T$\14\213D$\10\321\351\321\333\321\352\321\330\13\311u\364\367\363\213\310\367d$\24\221\367d$\20\3\321r\16;T$\14w\10r\16;D$\10v\10+D$\20\33T$\24+D$\10\33T$\14\367\332\367\330\203\332\0[\302\20\0\314\377%\334\21\375\17\377%\330\21\375\17\377%\300\21\375\17", ) == 0x0
 01976   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\343\316\1\0\365\316\1\0\7\317\1\0\0\0\1\0\2\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\14\0\15\0\16\0\17\0\20\0\21\0\22\0\23\0\24\0\25\0\26\0\27\0\30\0\31\0\32\0RSAENH.dll\0CPAcquireContext\0CPCreateHash\0CPDecrypt\0CPDeriveKey\0CPDestroyHash\0CPDestroyKey\0CPDuplicateHash\0CPDuplicateKey\0CPEncrypt\0CPExportKey\0CPGenKey\0CPGenRandom\0CPGetHashParam\0CPGetKeyParam\0CPGetProvParam\0CPGetUserKey\0CPHashData\0CPHashSessionKey\0CPImportKey\0CPReleaseContext\0CPSetHashParam\0CPSetKeyParam\0CPSetProvParam\0CPSignHash\0CPVerifySignature\0DllRegisterServer\0DllUnregisterServer\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01977   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2f\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1h\0\0\200\0\0\0(\0\0\0\200\0\0\0\0\0\0\0\4\0\0\0RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0RSA Data Security's RC4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1f\0\08\0\0\08\0\0\08\0\0\0\0\0\0\0\4\0\0\0DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\0\0\0Data Encryption Standard (DES)\0\0\0\0\0\0\0\0\0\0\11f\0\0p\0\0\0p\0\0\0p\0\0\0\0\0\0\0\15\0\0\03DES TWO KEY\0\0\0\0\0\0\0\0\23\0\0\0Two Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3f\0\0\250\0\0\0\250\0\0\0\250\0\0\0\0\0\0\0\5\0\0\03DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0Three Key Triple DES\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\200\0\0\240\0\0\0", ) , ) == 0x0
 01978   388   NtReadFile  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916},  (248, 0, 0, 0, 2916, 0x0, 0, ... {status=0x0, info=2916}, "\0\0\0\0\5L\0\0(\0\0\0(\0\0\0\300\0\0\0\2\0\0\0\14\0\0\0SSL2 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL2 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\4\0\0\0\14\0\0\0SSL3 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0SSL3 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6L\0\0\200\1\0\0\200\1\0\0\200\1\0\0\10\0\0\0\14\0\0\0TLS1 MASTER\0\0\0\0\0\0\0\0\0\14\0\0\0TLS1 Master\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\20\0\0\0SCH MASTER HASH\0\0\0\0\0\25\0\0\0SChannel Master Hash\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH MAC KEY\0\0\0\0\0\0\0\0\0\21\0\0\0SChannel MAC Key\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7L\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\14\0\0\0SCH ENC KEY\0\0\0\0\0\0\0\0\0\30\0\0\0SChannel", ) , ) == 0x0
 01979   388   NtQueryInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01980   388   NtSetInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01981   388   NtQueryInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01982   388   NtSetInformationFile  (248, 1237592, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01983   388   NtReadFile  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096},  (248, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=4096}, "\0\07\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0o\0p\0e\0n\0 \0s\0i\0g\0n\0a\0t\0u\0r\0e\0 \0f\0i\0l\0e\0?\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0g\0e\0t\0 \0t\0h\0e\0 \0s\0i\0z\0e\0 \0o\0f\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\03\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0a\0l\0l\0o\0c\0a\0t\0e\0 \0m\0e\0m\0o\0r\0y\04\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0a\0m\0 \0c\0o\0u\0l\0d\0 \0n\0o\0t\0 \0R\0e\0a\0d\0 \0R\0s\0a\0b\0a\0s\0e\0.\0s\0i\0g\05\0C\0A\0P\0I\0:\0 \0T\0h\0e\0 \0i\0n\0s\0t\0a\0l\0l\0 \0p\0r\0o\0g\0r\0", ) , ) == 0x0
 01984   388   NtReadFile  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192},  (248, 0, 0, 0, 1192, 0x0, 0, ... {status=0x0, info=1192}, "\31\16>W>q>\251>\276>\217?\0\0\0\220\1\0|\0\0\0 0)0J0T0\2120\2360\3070\3460\253182a2\2342\2432\2532\3112\3642\273\2353\2433_4m4\2704\3054\3664+595Q5^5\2045\2165\2505*646\3606\107F7\258 8=8P8d:m:\263<\275<\10=H=`=\220=\210>>?L?q?~?\217?\233?\354?\373?\0\0\0\240\1\0\210\0\0\0\120!0D0}0\2371\3711#2\3512\6333\2043\2353\3333\104V4d4\3264\3514'575v5\2265\3316\3666\67\377e7o7\2117\3457\3677*8\2248\3338!:\177:\251:\270;\276;\325;\344;\356;%<-B>L>\0?\12?\341?\374?\0\260\1\0\10\1\0\0\3240\3500\201\331?1I1\2571\2731\3021\3661'2\2732\3052V3h3n3z3\2273\2563\2643\3253\3663\27484Y4z4\2334\2744\3354\3764\375@5a5\2025\2435\3045\3455\26\376<6Y6o6\1776\2136\2276\2356\2436\2516\2576\2656\2736\3016\3076\3156\3236\3316\3376\3456\3536\3616\3676\3756\37\117\177\257\337"7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) 7-7>7I7\2527\38\238&858z8\2538\3428\3608\49\219$939E9c9+:\201:\313:\200;\216;\227;", ) == 0x0
 01985   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 01986   388   NtClose  (240, ... ) == 0x0
 01987   388   NtClose  (248, ... ) == 0x0
 01988   388   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 248, ) }, ... 248, ) == 0x0
 01989   388   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01990   388   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01991   388   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01992   388   NtQueryValueKey  (248,  (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (248, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 01993   388   NtClose  (248, ... ) == 0x0
 01994   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01996   388   NtOpenProcessToken  (-1, 0x8, ... 248, ) == 0x0
 01997   388   NtQueryInformationToken  (248, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 01998   388   NtClose  (248, ... ) == 0x0
 01999   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 248, {status=0x0, info=0}, ) }, 7, 16, ... 248, {status=0x0, info=0}, ) == 0x0
 02000   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243u\35\26\3\342QM\33Y\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02001   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02002   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02003   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02004   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02005   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02006   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02007   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02008   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02009   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\303\337\377C(\227\337\232\351\347J+=\264\276BQ(p\277!i_o6F#\322\356rM\14\14\261\24P\4\26&\226&\331\262\213"~g\35\21\361\3\26\205\233\330\214,ifq\6\274\330\337U}\3128h\24\274\333?*\340#\6\344\256\213", 80, ... , 0, 3,  (-2147482108, "Seed", 0, 3, "\303\337\377C(\227\337\232\351\347J+=\264\276BQ(p\277!i_o6F#\322\356rM\14\14\261\24P\4\26&\226&\331\262\213"~g\35\21\361\3\26\205\233\330\214,ifq\6\274\330\337U}\3128h\24\274\333?*\340#\6\344\256\213", 80, ... ~g\35\21\361\3\26\205\233\330\214,ifq\6\274\330\337U}\3128h\24\274\333?*\340#\6\344\256\213", 80, ...
 02010   388   NtSetInformationFile  (-2147482808, -130777476, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02011   388   NtSetInformationFile  (-2147482808, -130777512, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02009   388   NtSetValueKey  ... ) == 0x0
 02012   388   NtClose  (-2147482108, ... ) == 0x0
 02000   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\233\376\225`7x\220\3\324\3133\241!u\364\270\320\340[\30\350e\5\32\303e:8G\305\21|\36\212\30\357\31\7\331\201\2543\340\310Q\326\300\21H:\367\336\355\336\202\7B\256}@xi\13;\321\321S\234\252\366;\243 \214\201J\250(S\254\270[\313\250\310cx.\20\356\331\301~\223*\320*\216\340\206\20335\241L\301k~\362;#\307\231\314\207jn\342\26$G\376\216d\357c\221\234\315\241\215\37\330\26\242<\177.\34\203\2727\240C\315\34Cn\305\306f\227Q\270\14\373\223|\211@rV`\276=l\273\244\336'H\3314\250?\13\237GM\334{VI!kn\263\277\352\10\16\263\364vrdk<\362\251\327NtClose  (244, ... ) == 0x0
 02014   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@{b\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02015   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02016   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02017   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02018   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02019   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02020   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02021   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02022   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02023   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\25d\357{\352J\373\316\374\246t\302V\326(IW\306E\216\200m\303\347\336;\330\356\314\7/I6XU\320\14\13RC\373\307\22~\345\317T\307Q\241\2234\317\4>\17fp\203q\265*\33<\274]\366\221q\331\347\24N\234\347\24\372{O\213", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\25d\357{\352J\373\316\374\246t\302V\326(IW\306E\216\200m\303\347\336;\330\356\314\7/I6XU\320\14\13RC\373\307\22~\345\317T\307Q\241\2234\317\4>\17fp\203q\265*\33<\274]\366\221q\331\347\24N\234\347\24\372{O\213", 80, ... ) , 80, ... ) == 0x0
 02024   388   NtClose  (-2147482108, ... ) == 0x0
 02014   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\227\3406p.\256\311}\25*\323\3678\4\201Mk/\240\234W\246\206\350=[L{Q*\307zg\240\370\20\357\26\375n\330hL#-D\345^X\243!\334;\25H6\361\304\363\373\11\363Etz\32\232\351\271\206 >\364\241\23\245\372`jq\342\352N\207\257\273)'\301\224\330\361W\231\310\340-?\3022)\214\342\21/\313\253"\177\20T\324!\347\364\371X\\25odf\302\235\277U\306\370\233\303\33\201\336\341\236\302\253auV\11nc\233\306\323\356\325N\307b8\362\371`c\271\370\250\210<\24\261\12Y^C\371XO7u\11\244qX\221\3\252\357\226\234\367\2320\272\336\255\2449\32xn\22\235\370\20w\275\360\306{"(\37\220\216\310\317\225\371\303Y\247B\306\246*\353\2574\337\345!\23m.\364\317i\17\31\303\0\\243\357\363`S\215g^\377\305\377\36\17\356o1f\353\363\330", ) \177\20T\324!\347\364\371X\\25odf\302\235\277U\306\370\233\303\33\201\336\341\236\302\253auV\11nc\233\306\323\356\325N\307b8\362\371`c\271\370\250\210<\24\261\12Y^C\371XO7u\11\244qX\221\3\252\357\226\234\367\2320\272\336\255\2449\32xn\22\235\370\20w\275\360\306{ ... {status=0x0, info=256}, "\227\3406p.\256\311}\25*\323\3678\4\201Mk/\240\234W\246\206\350=[L{Q*\307zg\240\370\20\357\26\375n\330hL#-D\345^X\243!\334;\25H6\361\304\363\373\11\363Etz\32\232\351\271\206 >\364\241\23\245\372`jq\342\352N\207\257\273)'\301\224\330\361W\231\310\340-?\3022)\214\342\21/\313\253"\177\20T\324!\347\364\371X\\25odf\302\235\277U\306\370\233\303\33\201\336\341\236\302\253auV\11nc\233\306\323\356\325N\307b8\362\371`c\271\370\250\210<\24\261\12Y^C\371XO7u\11\244qX\221\3\252\357\226\234\367\2320\272\336\255\2449\32xn\22\235\370\20w\275\360\306{"(\37\220\216\310\317\225\371\303Y\247B\306\246*\353\2574\337\345!\23m.\364\317i\17\31\303\0\\243\357\363`S\215g^\377\305\377\36\17\356o1f\353\363\330", ) , ) == 0x0
 02025   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02026   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02027   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02028   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02029   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02030   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02031   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02032   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02033   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02034   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\237\371Yi\263\373B\216os!\33\6\251\232`\354zW\346\325\200}3\355\303\272m\315\37J\27\25\350\277\204\333>\275n\262\6\322\365\271\177\326F\241+\321w\16\332\202x[\376a\332Z&\205\3060`q\12b\5\24\203\240\220\332\362\13\252\353\300", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\237\371Yi\263\373B\216os!\33\6\251\232`\354zW\346\325\200}3\355\303\272m\315\37J\27\25\350\277\204\333>\275n\262\6\322\365\271\177\326F\241+\321w\16\332\202x[\376a\332Z&\205\3060`q\12b\5\24\203\240\220\332\362\13\252\353\300", 80, ... ) , 80, ... ) == 0x0
 02035   388   NtClose  (-2147482108, ... ) == 0x0
 02025   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\30v\31\205\347|\340F\376\323\373\241J\2125\247x\215\306\347D^m\226as\273|\321\323\273\205\260\333\237D-\207g\3255\271\375\32\346\2175\/F\3\\366\11\350}\263\260\274\35}NM\233\36\225\2306\316K\20\3551\301\321\223\134b\361\202\210\6\310\317^\36\272\305\256~\372\20\130\32\205\22\272u\14\345;\16 _q\361\264\331\236~w\277\203\342\355\353U\341\253&\347\26\262\3056\0\3D9\245Re\255\3DH\337\27\235Zn\311\251\34\34\2144*~\277B\37s\2007\3S\362\264\356\33\254\220\241&2\234\366\243\211\21\26\263\344\366d_94\355~[\251vV, ) , ) == 0x0
 02036   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\346\324\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02037   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02038   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02039   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02040   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02041   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02042   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02043   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02044   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02045   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\252\227ejD\241\14\367}\237\354iD\357\354\210T\234?\366'&c\211\354\4\336_/QEF\33\177\373\250\325c)LU~\24\244\177\237\202\205E\276i\242\214\327\352"\245\220\21\2\31\303\370 \0\214\27A\214\322\16\274\314\374)Y\215I\361\272", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\252\227ejD\241\14\367}\237\354iD\357\354\210T\234?\366'&c\211\354\4\336_/QEF\33\177\373\250\325c)LU~\24\244\177\237\202\205E\276i\242\214\327\352"\245\220\21\2\31\303\370 \0\214\27A\214\322\16\274\314\374)Y\215I\361\272", 80, ... ) \245\220\21\2\31\303\370 \0\214\27A\214\322\16\274\314\374)Y\215I\361\272", 80, ... ) == 0x0
 02046   388   NtClose  (-2147482108, ... ) == 0x0
 02036   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "B\301\265\363?\16j\221\333#\226\322\332\201\274\210\330\230p\362B\273:\224X99'HQf5J6\177\203M\303:\1"\276vL\226,c/\307i\216\353\214\360\361\260,\353\363\276\244:\264@\221'\326\264\347P\277\24\245\305\373]&\250 \205\356\375\262\332-\26\321q\216\5\22m\221\353\215\233\314\215o{\306#\353\10T\7_\27\370H\310`\3O\367\26O,\3]\360\207\33mEXi\331\375\254"\177\335\353v~r\24O@\247\317\3R\352\300"R\337\6^c\255\247"u\330Qf\0w|@\27\247\333V\13S\346\304d\252\270\311\301\216\345^\375Tu#\356\26m`\225\204\177-\216pVe\232\322\251\14\360\271~\6\350\357\304@4\245\331/\222\200\273\246@\30\222\250iaz<1\33\322\247\334l\346\207\327\17\302\32\221\177\365\4\217b\240", ) \276vL\226,c/\307i\216\353\214\360\361\260,\353\363\276\244:\264@\221'\326\264\347P\277\24\245\305\373]&\250 \205\356\375\262\332-\26\321q\216\5\22m\221\353\215\233\314\215o{\306#\353\10T\7_\27\370H\310`\3O\367\26O,\3]\360\207\33mEXi\331\375\254 ... {status=0x0, info=256}, "B\301\265\363?\16j\221\333#\226\322\332\201\274\210\330\230p\362B\273:\224X99'HQf5J6\177\203M\303:\1"\276vL\226,c/\307i\216\353\214\360\361\260,\353\363\276\244:\264@\221'\326\264\347P\277\24\245\305\373]&\250 \205\356\375\262\332-\26\321q\216\5\22m\221\353\215\233\314\215o{\306#\353\10T\7_\27\370H\310`\3O\367\26O,\3]\360\207\33mEXi\331\375\254"\177\335\353v~r\24O@\247\317\3R\352\300"R\337\6^c\255\247"u\330Qf\0w|@\27\247\333V\13S\346\304d\252\270\311\301\216\345^\375Tu#\356\26m`\225\204\177-\216pVe\232\322\251\14\360\271~\6\350\357\304@4\245\331/\222\200\273\246@\30\222\250iaz<1\33\322\247\334l\346\207\327\17\302\32\221\177\365\4\217b\240", ) R\337\6^c\255\247 ... {status=0x0, info=256}, "B\301\265\363?\16j\221\333#\226\322\332\201\274\210\330\230p\362B\273:\224X99'HQf5J6\177\203M\303:\1"\276vL\226,c/\307i\216\353\214\360\361\260,\353\363\276\244:\264@\221'\326\264\347P\277\24\245\305\373]&\250 \205\356\375\262\332-\26\321q\216\5\22m\221\353\215\233\314\215o{\306#\353\10T\7_\27\370H\310`\3O\367\26O,\3]\360\207\33mEXi\331\375\254"\177\335\353v~r\24O@\247\317\3R\352\300"R\337\6^c\255\247"u\330Qf\0w|@\27\247\333V\13S\346\304d\252\270\311\301\216\345^\375Tu#\356\26m`\225\204\177-\216pVe\232\322\251\14\360\271~\6\350\357\304@4\245\331/\222\200\273\246@\30\222\250iaz<1\33\322\247\334l\346\207\327\17\302\32\221\177\365\4\217b\240", ) , ) == 0x0
 02047   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02048   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02049   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02050   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02051   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02052   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02053   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02054   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02055   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02056   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\263\316\254\222\340\306\235)l\335\323\21*\23r\237G4[@\272\237"h\231\330\231~\205\251\356\331\217\223m\312\{12C_\355\4,g?-\10\222\234\354r\375\330u #P\332\225\2311\265\363\325\202\3031"\36\210\246\27\261o\310\322\261", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\263\316\254\222\340\306\235)l\335\323\21*\23r\237G4[@\272\237"h\231\330\231~\205\251\356\331\217\223m\312\{12C_\355\4,g?-\10\222\234\354r\375\330u #P\332\225\2311\265\363\325\202\3031"\36\210\246\27\261o\310\322\261", 80, ... ) h\231\330\231~\205\251\356\331\217\223m\312\{12C_\355\4,g?-\10\222\234\354r\375\330u #P\332\225\2311\265\363\325\202\3031 (-2147482108, "Seed", 0, 3, "\263\316\254\222\340\306\235)l\335\323\21*\23r\237G4[@\272\237"h\231\330\231~\205\251\356\331\217\223m\312\{12C_\355\4,g?-\10\222\234\354r\375\330u #P\332\225\2311\265\363\325\202\3031"\36\210\246\27\261o\310\322\261", 80, ... ) , 80, ... ) == 0x0
 02057   388   NtClose  (-2147482108, ... ) == 0x0
 02047   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\333M\16Y\306.\4\357\210\30\215\27S\235"U\306\2150\277\367\251d\207Fx{f4I\371\376\220\326\310xHy\3\326\214\331\34*\301\362\257?E_\305q\330@6\306\31\200\357\316#\273\213_?\322[\346\227w\21\270\34_\346\374E\360.\220\32%\303\213\303'\31\23\371\234\314\23\242\220\243\323U\303V\266\2224^&\277]\346c\203\211\343\364\17$\276\303H\10N|\246\3408.UI<\36\310\200\245\247w\202-IQ\307\3109|\244\3036\223w\12`\32Y\211\17\335\355\246I\215B}\253UK\305\367\207\354<\360\34\311\213\k3\267\24:_\352\270\265?\246\36\36q\220c\315J6\371\17\361\255\210<.,\310\27.9J\33[\12VlDm\377r\207\10A'\16\206\237a\220\373\3169\206\224C7\3405]i~\260:\363G&\204\224%\271\361#\325D\367T\16\356\233G\317", ) U\306\2150\277\367\251d\207Fx{f4I\371\376\220\326\310xHy\3\326\214\331\34*\301\362\257?E_\305q\330@6\306\31\200\357\316#\273\213_?\322[\346\227w\21\270\34_\346\374E\360.\220\32%\303\213\303'\31\23\371\234\314\23\242\220\243\323U\303V\266\2224^&\277]\346c\203\211\343\364\17$\276\303H\10N|\246\3408.UI<\36\310\200\245\247w\202-IQ\307\3109|\244\3036\223w\12`\32Y\211\17\335\355\246I\215B}\253UK\305\367\207\354<\360\34\311\213\k3\267\24:_\352\270\265?\246\36\36q\220c\315J6\371\17\361\255\210<.,\310\27.9J\33[\12VlDm\377r\207\10A'\16\206\237a\220\373\3169\206\224C7\3405]i~\260:\363G&\204\224%\271\361#\325D\367T\16\356\233G\317", ) == 0x0
 02058   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02059   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02060   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02061   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02062   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02063   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02064   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02065   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02066   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02067   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\22\311U/\17\313$\203Y\331&\226\334\352\230\200\376\5\15\30\205\375A\313\25\371a\243s\6{\177o\334\2615\302\302\27\324ST\14C\352;\207*\317\277h\352U5\244\254:\256\257\205\200\334\213\243\341DF3\206\362V\332D\213\262\273\307\257\203\317", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\22\311U/\17\313$\203Y\331&\226\334\352\230\200\376\5\15\30\205\375A\313\25\371a\243s\6{\177o\334\2615\302\302\27\324ST\14C\352;\207*\317\277h\352U5\244\254:\256\257\205\200\334\213\243\341DF3\206\362V\332D\213\262\273\307\257\203\317", 80, ... ) , 80, ... ) == 0x0
 02068   388   NtClose  (-2147482108, ... ) == 0x0
 02058   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "C,\374\6=\376\10\350*\367\323#\222m\327\333\20\360\347\317\210\32\332\354u\2449\261}-\22189 \372?\306\213YJa~\250en\321\345\363/\314\235M#'h\3145\246\272U\321!]\206A\325\4\274t\370\20\255n{\336gj\50\305<\13G*3\354\377\221\210\324\251\316)\337~\250\236R2\300\231\17\17\355\375S\350\334\307*;\252\347|\362\274t\207\341\0\367\354\223\6\235\321A\214~u\334\214\177\302\2ZF\4\325\31\334S\207\332';\240\6\321D\264q\15\31\345\355+\317\317\221C\240\260gS6[\261\2338-\23\375\207\257\216\266S\302\365\220\274(7| \263\13r\13(L3\345\331\257Z\254PC/b\22'<\306\255\2\6\267aP(\260v\250?\221\266\327\372\312\377\361\34\26\14\200\263/\34\244\2072eso\232\220\346U \274\231`\273\3721,\242C\235$\221", ) , ) == 0x0
 02069   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02070   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02071   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02072   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02073   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02074   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02075   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02076   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02077   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02078   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "l\35 N\310\270\343`T<\6N&\213/'\235x\304p\26J\337V\340\254\22\32\263\275\275M\3138\237'r7tQA9^\6\343^\301\242\243\324\35\31", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "l\35 N\310\270\343`T<\6N&\213/'\235x\304p\26J\337V\340\254\22\32\263\275\275M\3138\237'r7tQA9^\6\343^\301\242\243\324\35\31", 80, ... ) J\337V\340\254\22\32\263\275\275M\3138\237'r7tQA9^\6\343^\301\242\243\324\35\31", 80, ... ) == 0x0
 02079   388   NtClose  (-2147482108, ... ) == 0x0
 02069   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "7k\214\244\315\253\11V\242\222\335\315\4\234]i0\)&\313<\334\326\312Ol\233A\375L@D\266\226\14d\1\12\370\332\0)y2\14\343b\35\340B\256\222\247\321H\204\303\355\240\240\271\317\12"\257,,Y\237\2271\201\23\335\331\275N\221\314;\221{\16Z\271LV\333R:\31\324\34=\254\271\236\300\306\j}Q\242\212D\214\254\10\210r\260\253q\5\320\362\244Z\236\263"\344\230\217\235*\323\305\361^T\374be\6\266\332]\243\244\16MK\177\233.\241\307\365(\344\11\\373*\301\317\273\13\334\304\233\270\34\261^\215a\3750w,\276\330\341[;{\\255\221\304\217\13\3765\1\4Z\302\320\261/;\33\247"K\13%N\3659.XGrk\207[\353\326", ) \257,,Y\237\2271\201\23\335\331\275N\221\314;\221{\16Z\271LV\333R:\31\324\34=\254\271\236\300\306\j}Q\242\212D\214\254\10\210r\260\253q\5\320\362\244Z\236\263243\354X=\325%\337\376=\244\3324\316\340\365\300\10\25\2357\274\31?+\370X\226f\3202\311P\376h\159xM ... {status=0x0, info=256}, "7k\214\244\315\253\11V\242\222\335\315\4\234]i0\)&\313<\334\326\312Ol\233A\375L@D\266\226\14d\1\12\370\332\0)y2\14\343b\35\340B\256\222\247\321H\204\303\355\240\240\271\317\12"\257,,Y\237\2271\201\23\335\331\275N\221\314;\221{\16Z\271LV\333R:\31\324\34=\254\271\236\300\306\j}Q\242\212D\214\254\10\210r\260\253q\5\320\362\244Z\236\263"\344\230\217\235*\323\305\361^T\374be\6\266\332]\243\244\16MK\177\233.\241\307\365(\344\11\\373*\301\317\273\13\334\304\233\270\34\261^\215a\3750w,\276\330\341[;{\\255\221\304\217\13\3765\1\4Z\302\320\261/;\33\247"K\13%N\3659.XGrk\207[\353\326", ) K\13%N\3659.XGrk\207[\353\326", ) == 0x0
 02080   388   NtDeviceIoControlFile  (248, 0, 0x0, 0x0, 0x390008,  (248, 0, 0x0, 0x0, 0x390008, "\276\237w\314\34\243uZ\350!jnL@<\234\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\346\324\316r\350\227D\241*\354\372\327\226\37\203F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02081   388   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02082   388   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02083   388   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02084   388   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02085   388   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02086   388   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02087   388   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02088   388   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482108, 2, ) }, 0, 0x0, 0, ... -2147482108, 2, ) == 0x0
 02089   388   NtSetValueKey  (-2147482108,  (-2147482108, "Seed", 0, 3, "\362\0\250'\321\370\30|\345\322\212\344n\235\320 \266?\356]sh\327\206\264\261(\345?me\3201N\242\20\242p\341\241V\316\365w\316\353_\56V\3366b\336\222-Bb\235!\3?\343\267c\370CL\3151\\330r\264: :-\17e", 80, ... ) , 0, 3,  (-2147482108, "Seed", 0, 3, "\362\0\250'\321\370\30|\345\322\212\344n\235\320 \266?\356]sh\327\206\264\261(\345?me\3201N\242\20\242p\341\241V\316\365w\316\353_\56V\3366b\336\222-Bb\235!\3?\343\267c\370CL\3151\\330r\264: :-\17e", 80, ... ) , 80, ... ) == 0x0
 02090   388   NtClose  (-2147482108, ... ) == 0x0
 02080   388   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "a\250\325\262\230\362A\241N\245\256\20\270X\326U\335\223\275<\340\5L7\3713Z!_\23z\360\22\361\320\35#\221\351-JDe\232\221l\11\350\177\261\263]\363\222\251\247\21\275\26\25\223\244\325\375\2\315%1W:\222\2104n\357dC\227\300\334XU\30K!J7!\169'l\373@\325:\251\255H\314\234y.\322C\227\245b\24\35\372\20\330\263\340"\37n\343\234C,*\275\202\6\256\203\347\215\351w\253&x\15\336\7"-$\366\177\256\25\340\1\230aH\266\2663\301\26T\361\37wh,%\334\15*\13y4\350r\342\357\315\14u\364V\276\212_/\227\334.\225\331F\216\34\243\32^\274\3272\350\34\344\343~"\7\315\177\331\2544\267|\3\366\355\366m\14\244bF\371\335{\2643y\33\270g\11\345i\352\17_O\330(\243\231{f\1^e\3709\346\260 \226\177\255\212\375\370\224", ) \37n\343\234C,*\275\202\6\256\203\347\215\351w\253&x\15\336\7 ... {status=0x0, info=256}, "a\250\325\262\230\362A\241N\245\256\20\270X\326U\335\223\275<\340\5L7\3713Z!_\23z\360\22\361\320\35#\221\351-JDe\232\221l\11\350\177\261\263]\363\222\251\247\21\275\26\25\223\244\325\375\2\315%1W:\222\2104n\357dC\227\300\334XU\30K!J7!\169'l\373@\325:\251\255H\314\234y.\322C\227\245b\24\35\372\20\330\263\340"\37n\343\234C,*\275\202\6\256\203\347\215\351w\253&x\15\336\7"-$\366\177\256\25\340\1\230aH\266\2663\301\26T\361\37wh,%\334\15*\13y4\350r\342\357\315\14u\364V\276\212_/\227\334.\225\331F\216\34\243\32^\274\3272\350\34\344\343~"\7\315\177\331\2544\267|\3\366\355\366m\14\244bF\371\335{\2643y\33\270g\11\345i\352\17_O\330(\243\231{f\1^e\3709\346\260 \226\177\255\212\375\370\224", ) \7\315\177\331\2544\267|\3\366\355\366m\14\244bF\371\335{\2643y\33\270g\11\345i\352\17_O\330(\243\231{f\1^e\3709\346\260 \226\177\255\212\375\370\224", ) == 0x0
 02091   388   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 244, {status=0x0, info=1}, ) }, 3, 33, ... 244, {status=0x0, info=1}, ) == 0x0
 02092   388   NtQueryVolumeInformationFile  (244, 1238952, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02093   388   NtClose  (12, ... ) == 0x0
 02094   388   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238168,  (0x80100080, {24, 0, 0x40, 0, 1238168, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 02096   388   NtQueryInformationFile  (12, 1239104, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02097   388   NtQueryInformationFile  (12, 1239076, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02098   388   NtQueryInformationFile  (12, 1239028, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02099   388   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 02100   388   NtQueryInformationFile  (12, 1431824, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02101   388   NtQueryInformationFile  (12, 1237572, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02102   388   NtQueryInformationFile  (12, 1237416, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02103   388   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1237424,  (0x40110080, {24, 0, 0x40, 0, 1237424, "\??\C:\WINDOWS\System32\logon.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02104   388   NtClose  (-2147482108, ... ) == 0x0
 02103   388   NtCreateFile  ... 240, {status=0x0, info=2}, ) == 0x0
 02105   388   NtQueryVolumeInformationFile  (240, 1236796, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02106   388   NtQueryInformationFile  (240, 1236756, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02107   388   NtQueryVolumeInformationFile  (12, 1236796, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02108   388   NtQueryVolumeInformationFile  (12, 1236480, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02109   388   NtSetInformationFile  (240, 1236584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02110   388   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 252, ) == 0x0
 02111   388   NtMapViewOfSection  (252, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 163840, ) == 0x0
 02112   388   NtClose  (252, ... ) == 0x0
 02113   388   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V\323\325s\22\262\273 \22\262\273 \22\262\273 L\220\260 \20\262\273 i\256\267 \21\262\273 \221\272\346 \36\262\273 \221\256\265 \25\262\273 }\255\277 \21\262\273 }\255\260 \23\262\273 \22\262\272 \266\262\273 $\224\260 /\262\273 Rich\22\262\273 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\340\253\231D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0\360\0\0\0\300\2\0\0\0\1\0\0\260\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\260\1\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02114   388   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\0\15\265\231d@C\200\6\15?\1J2:j\217\37]\256\302\16T \327\327K^k7%\207G%\210\32\244\230!\204\374\2t\264a\232\341R\335\215Q=\251\343\243\317p6\257\30(\214=\310\212\344\316\321\366w\260\13M>u\247&\22$\240\270y\372D2+\3354\4\206Ek\3R\303\240\257c\22\1N\303\26KdP\250\221\355\273\10X.\327\310\15E\312\12I\302B)z\22oK\302\10\266\267e\14\36\314\337\226nf\353\241\276?\315%\30j\300\206\262\3157u\278Vd*\341\24\273q\320\270\236\343\271>4\4YG;\355\255(\352%\222\217\211%\307\236\320\303d\240\250\346\230\4w5Y\214\341\227 \253?v^\214\242\350\304\346\2603\217\245\23\240\350\327\305\345c\243z\357\35\21\33\204\322'\270Gm~\276\372E\256\324\5M\211\210T\207\246\327\345@\375\17\376\270\36_\33\223\4\352J\330\356\252\222\347\6\5D\207\314Gn\325r\222xl\333\326\253\6\32\345&\320i\237&z\342\305`\213j\302\2767\345\273*\26i\230\324\3721\333'P\276\10\250\342\206\337\346\313\24jB\265u\36!\317s\177m\23%\31\320\376\31\351L\13J\301\277~\225r\304\371\5\320U\336\212\37\211[\321\13\25]\322\372\36\216\223\233\247{9\213Gq\260\216\307\202Z\336\306\331\367\377\334S\30\7\313\332\21\37a\177;\3748\177F\331X\243qk\251\306|\311\355\222\310\233\34H\355'S\250\243)n\371\200\34u\260\212:a\343AZ\331\21I\13\201\203\217\2004r\301Zf\332\324\5y\2531\254#\31\202\31\14\0\31O\314GF\336dJ \274p\266\233g\225\22\363\305\246\344\277\257\351Xn\364i\300\0\324B, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02115   388   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "\354Rn\260\33r\221O\300&\272z\3032\222\1}Yu\376kB\377X\264\334\0\243jG\217\225\247]\264~\26a\355\5\32\372\0\361\333\25\35\207?P\24\264\377\0\17;<;\365+\376v\3705J\375h\310\230\356%\314\222\265\315P\3376)\201,\3233\261\275\205Dh\266\252\6n\303&\257\244TY\324m\230\311\7\16\274\24\263\244\354\223\233=\220\267\134H\214\7]YF\260@|\3002\34\377\236\240\354\5Q\335 ~Rz\376p0\324\2139\6\225\360\325_Kk\317h\1\244\3417\230\201\2373)i\253\352\1\10\252\311p\307\331j~\10^\367G\356C\245/\225\361\254\303x\371x\326\24@\214\237\310\13\225\233\15\332\177"\232\320m\230Cz\3055\223\216\21\4\177\264\316l\314<\331n\222;\22\3\30\266\34{\263\306\274J\200VRB\250\3551<\234\276\327b\253\325\326\273\227\277\227\346\3\371)\250\230h\236\337\326T\235\343\13\243\237\6\237\275.=h\345G\326\17\310\355$\206*\257\4\212\306\234\264\30\233\357\277\254\350F\353\250\252M\346\26D\247\6\357t\217\27|\7sX\256\271\367\3418\311}\333uY\312\12\17C\345\25\343Q\251Ubf\22Q\255\26d\314\376M\342\4\274\313M\347\2550\256|\2452\207\2271\262\206\230\303\3\200\204q;\246\273\315\35\243d6\21]\334q7\26\22\11", 37888, 0x0, 0, ... {status=0x0, info=37888}, ) \232\320m\230Cz\3055\223\216\21\4\177\264\316l\314<\331n\222;\22\3\30\266\34{\263\306\274J\200VRB\250\3551<\234\276\327b\253\325\326\273\227\277\227\346\3\371)\250\230h\236\337\326T\235\343\13\243\237\6\237\275.=h\345G\326\17\310\355$\206*\257\4\212\306\234\264\30\233\357\277\254\350F\353\250\252M\346\26D\247\6\357t\217233\22ia\242W\366\7\303A\246{\325@\341\2\262\261\212Q\26\344G\220\263(\307Pu\11\15\2614\362p\344V\366M\4\332&DD\243\346\300V1*\260\375\24\7 \200bB\233\36\4ps\315Z\343\376]\24\225\14\13,\313+\275\371)\214d\3473\2\212B\271o[\224\271Q\247\233\345k\337\227\3625\203\341\2140sA\12\2619\3721\13>\27|\7sX\256\271\367\3418\311}\333uY\312\12\17C\345\25\343Q\251Ubf\22Q\255\26d\314\376M\342\4\274\313M\347\2550\256|\2452\207\2271\262\206\230\303\3\200\204q;\246\273\315\35\243d6\21]\334q7\26\22\11", 37888, 0x0, 0, ... {status=0x0, info=37888}, ) == 0x0
 02116   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02117   388   NtSetInformationFile  (240, 1239028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02118   388   NtClose  (12, ... ) == 0x0
 02119   388   NtClose  (240, ... ) == 0x0
 02120   388   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02121   388   NtSetInformationFile  (240, 1239228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02122   388   NtClose  (240, ... ) == 0x0
 02123   388   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 7, 2113568, ... 240, {status=0x0, info=1}, ) }, 7, 2113568, ... 240, {status=0x0, info=1}, ) == 0x0
 02124   388   NtSetInformationFile  (240, 1239228, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02125   388   NtClose  (240, ... ) == 0x0
 02126   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238924,  (0x80100080, {24, 0, 0x40, 0, 1238924, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02127   388   NtQueryInformationFile  (240, 1238976, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02128   388   NtClose  (240, ... ) == 0x0
 02129   388   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1238924,  (0x40100080, {24, 0, 0x40, 0, 1238924, "\??\C:\WINDOWS\System32\logon.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 240, {status=0x0, info=1}, ) == 0x0
 02130   388   NtSetInformationFile  (240, 1238976, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02131   388   NtClose  (240, ... ) == 0x0
 02132   388   NtOpenFile  (0x10080, {24, 244, 0x40, 0, 0,  (0x10080, {24, 244, 0x40, 0, 0, "lnti.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   388   NtCreateFile  (0x40100080, {24, 244, 0x40, 0, 1239180,  (0x40100080, {24, 244, 0x40, 0, 1239180, "lnti.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 240, {status=0x0, info=2}, ) == 0x0
 02134   388   NtWriteFile  (240, 0, 0, 0,  (240, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del lnti.bat\15\12", 120, 0x0, 0, ... {status=0x0, info=120}, ) , 120, 0x0, 0, ... {status=0x0, info=120}, ) == 0x0
 02135   388   NtClose  (240, ... ) == 0x0
 02136   388   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02137   388   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 02138   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232520, ... ) }, 1232520, ... ) == 0x0
 02139   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02140   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 240, ... 12, ) == 0x0
 02141   388   NtClose  (240, ... ) == 0x0
 02142   388   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 262144, ) == 0x0
 02143   388   NtClose  (12, ... ) == 0x0
 02144   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02145   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02146   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02147   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02148   388   NtAllocateVirtualMemory  (-1, 1441792, 0, 16384, 4096, 4, ... 1441792, 16384, ) == 0x0
 02149   388   NtUserRegisterClassExWOW  (1234604, 1234684, 1234668, 1234700, 0, 384, 0, ... ) == 0x810dc038
 02150   388   NtUserGetAtomName  (49208, 1233368, ... ) == 0x15
 02151   388   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 02152   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230892, ... ) }, 1230892, ... ) == 0x0
 02153   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 02154   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 12, ... 240, ) == 0x0
 02155   388   NtClose  (12, ... ) == 0x0
 02156   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe20000), 0x0, 204800, ) == 0x0
 02157   388   NtClose  (240, ... ) == 0x0
 02158   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 02159   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231208, ... ) }, 1231208, ... ) == 0x0
 02160   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02161   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 12, ) == 0x0
 02162   388   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02163   388   NtClose  (240, ... ) == 0x0
 02164   388   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 02165   388   NtClose  (12, ... ) == 0x0
 02166   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02167   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02168   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02169   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02170   388   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02171   388   NtClose  (12, ... ) == 0x0
 02172   388   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02173   388   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02174   388   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 240, ) }, ... 240, ) == 0x0
 02175   388   NtQueryValueKey  (240,  (240, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02176   388   NtClose  (240, ... ) == 0x0
 02177   388   NtClose  (12, ... ) == 0x0
 02178   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02179   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 02180   388   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02181   388   NtClose  (12, ... ) == 0x0
 02182   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 02183   388   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 240, ) }, ... 240, ) == 0x0
 02184   388   NtQueryValueKey  (240,  (240, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   388   NtClose  (240, ... ) == 0x0
 02186   388   NtClose  (12, ... ) == 0x0
 02187   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1230708, ... ) }, 1230708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "UxTheme.dll"}, 1230708, ... ) }, 1230708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1230708, ... ) }, 1230708, ... ) == 0x0
 02190   388   NtUserGetProcessWindowStation  (... ) == 0x28
 02191   388   NtUserGetObjectInformation  (40, 2, 0, 0, 1233004, ... ) == 0x0
 02192   388   NtUserGetObjectInformation  (40, 2, 1392024, 16, 1233004, ... ) == 0x1
 02193   388   NtUserGetGUIThreadInfo  (388, 1232960, ... ) == 0x1
 02194   388   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232780, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232780, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0
 02195   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 2648, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02196   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2649, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 2649, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2649, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02197   388   NtUserCallNoParam  (29, ...
 02198   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230252, ... ) }, 1230252, ... ) == 0x0
 02197   388   NtUserCallNoParam  ... ) == 0x0
 02199   388   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 02200   388   NtGdiHfontCreate  (1232332, 356, 0, 0, 1393672, ... ) == 0x30a0347
 02201   388   NtGdiHfontCreate  (1232332, 356, 0, 0, 1393664, ... ) == 0x30a0346
 02202   388   NtRequestWaitReplyPort  (12, {32, 56, new_msg, 0, 0, 0, 0, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2650, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 388, 2650, 0}  (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 388, 2650, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02203   388   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe20000), {0, 0}, 331776, ) == 0x0
 02204   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02205   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02206   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02207   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02208   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02209   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02210   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02211   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02212   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02213   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02214   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02215   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02216   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02217   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02218   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02219   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02220   388   NtAllocateVirtualMemory  (-1, 3301376, 0, 4096, 4096, 4, ... 3301376, 4096, ) == 0x0
 02221   388   NtUserGetWindowDC  (0, ... ) == 0x1010054
 02222   388   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2100349
 02223   388   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 02224   388   NtUserCallNoParam  (29, ...
 02225   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229696, ... ) }, 1229696, ... ) == 0x0
 02224   388   NtUserCallNoParam  ... ) == 0x0
 02226   388   NtUserCallNoParam  (29, ...
 02227   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229692, ... ) }, 1229692, ... ) == 0x0
 02226   388   NtUserCallNoParam  ... ) == 0x0
 02228   388   NtUserMessageCall  (0x200e4, WM_NCCREATE, 0x0, 0x12d184, 0, 670, 0, ... ) == 0x1
 02229   388   NtUserMessageCall  (0x200e4, WM_NCCALCSIZE, 0x0, 0x12d1ac, 0, 670, 0, ... ) == 0x0
 02230   388   NtUserSetProp  (131300, 43288, -1, ... ) == 0x1
 02151   388   NtUserCreateWindowEx  ... ) == 0x200e4
 02231   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 252, ) }, ... 252, ) == 0x0
 02232   388   NtQueryValueKey  (252,  (252, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 256, ) }, ... 256, ) == 0x0
 02234   388   NtQueryValueKey  (256,  (256, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   388   NtClose  (256, ... ) == 0x0
 02236   388   NtClose  (252, ... ) == 0x0
 02237   388   NtAllocateVirtualMemory  (-1, 1458176, 0, 24576, 4096, 4, ... 1458176, 24576, ) == 0x0
 02238   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02239   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 256, ) == 0x0
 02240   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02241   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 02242   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02243   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02244   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233132,  (0xc0100080, {24, 0, 0x40, 0, 1233132, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 02245   388   NtSetInformationFile  (264, 1233188, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02246   388   NtSetInformationFile  (264, 1233180, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02247   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02248   388   NtWriteFile  (264, 253, 0, 0,  (264, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02249   388   NtReadFile  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (264, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\232"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02250   388   NtFsControlFile  (264, 253, 0x0, 0x0, 0x11c017,  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\232"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (264, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\232"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02251   388   NtClose  (260, ... ) == 0x0
 02252   388   NtClose  (264, ... ) == 0x0
 02253   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233176, ... ) }, 1233176, ... ) == 0x0
 02254   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02255   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02256   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "lnti.bat"}, 1232996, ... ) }, 1232996, ... ) == 0x0
 02257   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02258   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02259   388   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329880, 0,  (0x1f0003, {24, 52, 0x80, 1329880, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 264, ) }, 0, 2147483647, ... 264, ) == STATUS_OBJECT_NAME_EXISTS
 02260   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02261   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02262   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02264   388   NtQueryValueKey  (260,  (260, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   388   NtClose  (260, ... ) == 0x0
 02266   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02267   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02268   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02270   388   NtQueryValueKey  (260,  (260, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02271   388   NtClose  (260, ... ) == 0x0
 02272   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02273   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02274   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02275   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02276   388   NtQueryValueKey  (260,  (260, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02277   388   NtClose  (260, ... ) == 0x0
 02278   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02279   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02280   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02281   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 260, ) }, ... 260, ) == 0x0
 02282   388   NtQueryValueKey  (260,  (260, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   388   NtClose  (260, ... ) == 0x0
 02284   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 260, ) }, ... 260, ) == 0x0
 02285   388   NtEnumerateKey  (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 0, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0
 02286   388   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 268, ) }, ... 268, ) == 0x0
 02287   388   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   388   NtClose  (268, ... ) == 0x0
 02289   388   NtEnumerateKey  (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name= (260, 1, Basic, 288, ... {LastWrite={0x5aa4a4ac,0x1c73999}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0
 02290   388   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 268, ) }, ... 268, ) == 0x0
 02291   388   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02292   388   NtClose  (268, ... ) == 0x0
 02293   388   NtEnumerateKey  (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name= (260, 2, Basic, 288, ... {LastWrite={0x98c5c536,0x1c738c7}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0
 02294   388   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 268, ) }, ... 268, ) == 0x0
 02295   388   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   388   NtClose  (268, ... ) == 0x0
 02297   388   NtEnumerateKey  (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name= (260, 3, Basic, 288, ... {LastWrite={0x5aa70706,0x1c73999}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0
 02298   388   NtOpenKey  (0x20019, {24, 260, 0x40, 0, 0,  (0x20019, {24, 260, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 268, ) }, ... 268, ) == 0x0
 02299   388   NtQueryValueKey  (268,  (268, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02300   388   NtClose  (268, ... ) == 0x0
 02301   388   NtEnumerateKey  (260, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02302   388   NtClose  (260, ... ) == 0x0
 02303   388   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02304   388   NtOpenProcessToken  (-1, 0x8, ... 260, ) == 0x0
 02305   388   NtQueryInformationToken  (260, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02306   388   NtClose  (260, ... ) == 0x0
 02307   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02308   388   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 02309   388   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 268, ) == 0x0
 02310   388   NtCreateKey  (0x20019, {24, 268, 0x40, 0, 0,  (0x20019, {24, 268, 0x40, 0, 0, "SessionInfo\00000000000091ad"}, 0, 0x0, 1, ... 272, 2, ) }, 0, 0x0, 1, ... 272, 2, ) == 0x0
 02311   388   NtClose  (268, ... ) == 0x0
 02312   388   NtOpenKey  (0x20019, {24, 272, 0x40, 0, 0,  (0x20019, {24, 272, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   388   NtClose  (272, ... ) == 0x0
 02314   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02315   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 272, ) == 0x0
 02316   388   NtQueryInformationToken  (272, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02317   388   NtClose  (272, ... ) == 0x0
 02318   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 272, ) }, ... 272, ) == 0x0
 02319   388   NtSetInformationObject  (274, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 02320   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02321   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02323   388   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02324   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02325   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02326   388   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02327   388   NtClose  (276, ... ) == 0x0
 02328   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02329   388   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   388   NtClose  (270, ... ) == 0x0
 02331   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02332   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02334   388   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02335   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02336   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02337   388   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02338   388   NtClose  (276, ... ) == 0x0
 02339   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340   388   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341   388   NtClose  (270, ... ) == 0x0
 02342   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02343   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 268, ) }, ... 268, ) == 0x0
 02345   388   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0
 02346   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02347   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02348   388   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02349   388   NtClose  (276, ... ) == 0x0
 02350   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351   388   NtQueryValueKey  (270,  (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (270, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02352   388   NtClose  (270, ... ) == 0x0
 02353   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESC"}, 138, ) }, 138, ) == 0x0
 02355   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02357   388   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02358   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02359   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02360   388   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02361   388   NtClose  (276, ... ) == 0x0
 02362   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02363   388   NtQueryValueKey  (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (270, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02364   388   NtQueryKey  (270, Name, 392, ... {Name= (270, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02365   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02366   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 02367   388   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02368   388   NtClose  (276, ... ) == 0x0
 02369   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370   388   NtQueryValueKey  (270,  (270, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02371   388   NtClose  (270, ... ) == 0x0
 02372   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 02373   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 02374   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 268, ) }, ... 268, ) == 0x0
 02376   388   NtQueryValueKey  (268,  (268, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02377   388   NtClose  (268, ... ) == 0x0
 02378   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 268, ) }, ... 268, ) == 0x0
 02379   388   NtQueryValueKey  (268,  (268, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   388   NtClose  (268, ... ) == 0x0
 02381   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 268, ) }, ... 268, ) == 0x0
 02382   388   NtQueryValueKey  (268, " (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, )  (268, "", Full, 520, ... TitleIdx=0, Type=2, Name="", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) %\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 88, ) == 0x0
 02383   388   NtClose  (268, ... ) == 0x0
 02384   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 02385   388   NtQueryVolumeInformationFile  (268, 1233316, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02386   388   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 276, ) }, ... 276, ) == 0x0
 02387   388   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 02388   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 280, ) }, ... 280, ) == 0x0
 02389   388   NtMapViewOfSection  (280, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 57344, ) == 0x0
 02390   388   NtQueryInformationFile  (268, 1233280, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02391   388   NtQueryInformationFile  (268, 1233320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02392   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02393   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 02394   388   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02395   388   NtClose  (284, ... ) == 0x0
 02396   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   388   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 02398   388   NtClose  (268, ... ) == 0x0
 02399   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02400   388   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02401   388   NtClose  (268, ... ) == 0x0
 02402   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1231068, ... ) }, 1231068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "CLBCATQ.DLL"}, 1231068, ... ) }, 1231068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1231068, ... ) }, 1231068, ... ) == 0x0
 02406   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 268, {status=0x0, info=1}, ) }, 5, 96, ... 268, {status=0x0, info=1}, ) == 0x0
 02407   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 268, ... 284, ) == 0x0
 02408   388   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02409   388   NtClose  (268, ... ) == 0x0
 02410   388   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 02411   388   NtClose  (284, ... ) == 0x0
 02412   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1230264, ... ) }, 1230264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "COMRes.dll"}, 1230264, ... ) }, 1230264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1230264, ... ) }, 1230264, ... ) == 0x0
 02416   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02417   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 268, ) == 0x0
 02418   388   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02419   388   NtClose  (284, ... ) == 0x0
 02420   388   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 02421   388   NtClose  (268, ... ) == 0x0
 02422   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 268, ) }, ... 268, ) == 0x0
 02423   388   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02424   388   NtClose  (268, ... ) == 0x0
 02425   388   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 268, ) }, ... 268, ) == 0x0
 02428   388   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   388   NtQueryValueKey  (268,  (268, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   388   NtClose  (268, ... ) == 0x0
 02431   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1231096, ... ) }, 1231096, ... ) == 0x0
 02432   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   388   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02434   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 268, ) }, ... 268, ) == 0x0
 02435   388   NtQueryValueKey  (268,  (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02436   388   NtClose  (268, ... ) == 0x0
 02437   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 268, ) }, ... 268, ) == 0x0
 02438   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02439   388   NtNotifyChangeKey  (268, 284, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02440   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 288, ) }, ... 288, ) == 0x0
 02441   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 02442   388   NtNotifyChangeKey  (288, 292, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02443   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 02444   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 300, ) }, ... 300, ) == 0x0
 02445   388   NtSetInformationObject  (300, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02446   388   NtNotifyChangeKey  (300, 296, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02447   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 304, ) }, ... 304, ) == 0x0
 02448   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02449   388   NtNotifyChangeKey  (304, 308, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02450   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 02451   388   NtNotifyChangeKey  (300, 312, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02452   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 316, ) }, ... 316, ) == 0x0
 02453   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 320, ) == 0x0
 02454   388   NtNotifyChangeKey  (316, 320, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02455   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 324, ) }, ... 324, ) == 0x0
 02456   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 02457   388   NtNotifyChangeKey  (324, 328, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02458   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 332, ) }, ... 332, ) == 0x0
 02459   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02460   388   NtNotifyChangeKey  (332, 336, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02461   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 340, ) }, ... 340, ) == 0x0
 02462   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02463   388   NtNotifyChangeKey  (340, 344, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02464   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 348, ) }, ... 348, ) == 0x0
 02465   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 02466   388   NtNotifyChangeKey  (348, 352, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02467   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 356, ) == 0x0
 02468   388   NtNotifyChangeKey  (300, 356, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02469   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 360, ) }, ... 360, ) == 0x0
 02470   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02471   388   NtNotifyChangeKey  (360, 364, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02472   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 368, ) }, ... 368, ) == 0x0
 02473   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 02474   388   NtNotifyChangeKey  (368, 372, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02475   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 376, ) }, ... 376, ) == 0x0
 02476   388   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 02477   388   NtNotifyChangeKey  (376, 380, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 02478   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 384, ) }, ... 384, ) == 0x0
 02480   388   NtQueryValueKey  (384,  (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02481   388   NtClose  (384, ... ) == 0x0
 02482   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02483   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02484   388   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 384, ) }, ... 384, ) == 0x0
 02485   388   NtMapViewOfSection  (384, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe80000), {0, 0}, 24576, ) == 0x0
 02486   388   NtAllocateVirtualMemory  (-1, 3305472, 0, 8192, 4096, 4, ... 3305472, 8192, ) == 0x0
 02487   388   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 388, ) }, ... 388, ) == 0x0
 02489   388   NtQueryValueKey  (388,  (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (388, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02490   388   NtClose  (388, ... ) == 0x0
 02491   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02492   388   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02493   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 15269888, 65536, ) == 0x0
 02494   388   NtAllocateVirtualMemory  (-1, 15269888, 0, 4096, 4096, 4, ... 15269888, 4096, ) == 0x0
 02495   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02496   388   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 02497   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02499   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02500   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02501   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02502   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02503   388   NtClose  (392, ... ) == 0x0
 02504   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   388   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02506   388   NtClose  (390, ... ) == 0x0
 02507   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02508   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02509   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02510   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02511   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02512   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02513   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02514   388   NtClose  (392, ... ) == 0x0
 02515   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02516   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02517   388   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02518   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02519   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02520   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02521   388   NtClose  (396, ... ) == 0x0
 02522   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   388   NtQueryValueKey  (394,  (394, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524   388   NtClose  (394, ... ) == 0x0
 02525   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02526   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02527   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02528   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02529   388   NtClose  (392, ... ) == 0x0
 02530   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02531   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02533   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02534   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02535   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02536   388   NtClose  (392, ... ) == 0x0
 02537   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02538   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02540   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02541   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02542   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02543   388   NtClose  (392, ... ) == 0x0
 02544   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02545   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02546   388   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02547   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02548   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02549   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02550   388   NtClose  (396, ... ) == 0x0
 02551   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02552   388   NtQueryValueKey  (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0d\0o\0c\0v\0w\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02553   388   NtClose  (394, ... ) == 0x0
 02554   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02555   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02556   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02557   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02558   388   NtClose  (392, ... ) == 0x0
 02559   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02560   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02561   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02562   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02563   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02564   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02565   388   NtClose  (392, ... ) == 0x0
 02566   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02567   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02569   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02570   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02571   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02572   388   NtClose  (392, ... ) == 0x0
 02573   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02574   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}_"}, 162, ) }, 162, ) == 0x0
 02576   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02577   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02578   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02579   388   NtClose  (392, ... ) == 0x0
 02580   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02581   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02583   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 392, ) }, ... 392, ) == 0x0
 02585   388   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02586   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02587   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02588   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02589   388   NtClose  (396, ... ) == 0x0
 02590   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02591   388   NtQueryValueKey  (394,  (394, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02592   388   NtClose  (394, ... ) == 0x0
 02593   388   NtClose  (390, ... ) == 0x0
 02594   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 388, ) == 0x0
 02595   388   NtQueryInformationProcess  (388, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 02596   388   NtClose  (388, ... ) == 0x0
 02597   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02598   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02599   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02600   388   NtClose  (390, ... ) == 0x0
 02601   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES3"}, 138, ) }, 138, ) == 0x0
 02602   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02603   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02604   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02605   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02606   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02607   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02608   388   NtClose  (392, ... ) == 0x0
 02609   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02610   388   NtOpenKey  (0x2000000, {24, 390, 0x40, 0, 0,  (0x2000000, {24, 390, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0
 02611   388   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02612   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02613   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02614   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02615   388   NtClose  (396, ... ) == 0x0
 02616   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02617   388   NtQueryValueKey  (394,  (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 02618   388   NtClose  (394, ... ) == 0x0
 02619   388   NtClose  (390, ... ) == 0x0
 02620   388   NtAllocateVirtualMemory  (-1, 1486848, 0, 8192, 4096, 4, ... 1486848, 8192, ) == 0x0
 02621   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02622   388   NtOpenKey  (0x20019, {24, 274, 0x40, 0, 0,  (0x20019, {24, 274, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 388, ) }, ... 388, ) == 0x0
 02624   388   NtQueryKey  (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0
 02625   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02626   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02627   388   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02628   388   NtClose  (392, ... ) == 0x0
 02629   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02630   388   NtOpenKey  (0x1, {24, 390, 0x40, 0, 0,  (0x1, {24, 390, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02631   388   NtClose  (390, ... ) == 0x0
 02632   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227488, ... ) }, 1227488, ... ) == 0x0
 02633   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02634   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 392, ) == 0x0
 02635   388   NtClose  (388, ... ) == 0x0
 02636   388   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02637   388   NtClose  (392, ... ) == 0x0
 02638   388   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02639   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1227804, ... ) }, 1227804, ... ) == 0x0
 02640   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 5, 96, ... 392, {status=0x0, info=1}, ) }, 5, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 02641   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 392, ... 388, ) == 0x0
 02642   388   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02643   388   NtClose  (392, ... ) == 0x0
 02644   388   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 1347584, ) == 0x0
 02645   388   NtClose  (388, ... ) == 0x0
 02646   388   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02647   388   NtQueryDefaultUILanguage  (1226168, ...
 02648   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02649   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482108, ) == 0x0
 02650   388   NtQueryInformationToken  (-2147482108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02651   388   NtClose  (-2147482108, ... ) == 0x0
 02652   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482108, ) }, ... -2147482108, ) == 0x0
 02653   388   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02654   388   NtOpenKey  (0x80000000, {24, -2147482108, 0x640, 0, 0,  (0x80000000, {24, -2147482108, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482112, ) }, ... -2147482112, ) == 0x0
 02655   388   NtQueryValueKey  (-2147482112,  (-2147482112, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02656   388   NtClose  (-2147482112, ... ) == 0x0
 02657   388   NtClose  (-2147482108, ... ) == 0x0
 02647   388   NtQueryDefaultUILanguage  ... ) == 0x0
 02658   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02659   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02660   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 392, ) == 0x0
 02661   388   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xea0000), 0x0, 1339392, ) == 0x0
 02662   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02663   388   NtQueryDefaultLocale  (1, 1224204, ... ) == 0x0
 02664   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shdocvw.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02665   388   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1225060, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1225060, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0d\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 2651, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0d\270\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 388, 2651, 0}  (24, {128, 156, new_msg, 0, 1225060, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0d\270\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 388, 2651, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\264\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\10\340\365\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0d\270\22\0\0\0\0\0" )  ) == 0x0
 02666   388   NtClose  (388, ... ) == 0x0
 02667   388   NtClose  (392, ... ) == 0x0
 02668   388   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02669   388   NtUnmapViewOfSection  (-1, 0x12b864, ... ) == STATUS_NOT_MAPPED_VIEW
 02670   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02671   388   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02672   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02673   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02674   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1222744, ... ) }, 1222744, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02675   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02676   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02677   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02678   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1223336, ... ) }, 1223336, ... ) == 0x0
 02679   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 392, {status=0x0, info=1}, ) }, 3, 33, ... 392, {status=0x0, info=1}, ) == 0x0
 02680   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02681   388   NtUserFindExistingCursorIcon  (1227288, 1227304, 1227872, ... ) == 0x10011
 02682   388   NtUserRegisterClassExWOW  (1227740, 1227820, 1227804, 1227836, 0, 384, 0, ... ) == 0x810d0000
 02683   388   NtUserGetClassInfo  (1905590272, 1227904, 1227856, 1227932, 0, ... ) == 0xc05f
 02684   388   NtGdiCreateHalftonePalette  (0, ... ) == 0x17080461
 02685   388   NtGdiDoPalette  (386401377, 0, 256, 1226996, 2, 0, ... ) == 0x100
 02686   388   NtGdiDeleteObjectApp  (386401377, ... ) == 0x1
 02687   388   NtGdiCreateCompatibleDC  (0, ... ) == 0x18010461
 02688   388   NtGdiCreatePaletteInternal  (1226992, 256, ... ) == 0xd08046c
 02689   388   NtGdiDeleteObjectApp  (402719841, ... ) == 0x1
 02690   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESn"}, 138, ) }, 138, ) == 0x0
 02691   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02692   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 388, ) }, ... 388, ) == 0x0
 02693   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0
 02694   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02695   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02696   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02697   388   NtClose  (396, ... ) == 0x0
 02698   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02699   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02700   388   NtClose  (390, ... ) == 0x0
 02701   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02702   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02703   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02704   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02705   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02706   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02707   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02708   388   NtClose  (396, ... ) == 0x0
 02709   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02710   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02711   388   NtClose  (390, ... ) == 0x0
 02712   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02713   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02714   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02715   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02716   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02717   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02718   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02719   388   NtClose  (396, ... ) == 0x0
 02720   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02721   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02722   388   NtClose  (390, ... ) == 0x0
 02723   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02724   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02725   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02726   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02727   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02728   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02729   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02730   388   NtClose  (396, ... ) == 0x0
 02731   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02732   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02733   388   NtClose  (390, ... ) == 0x0
 02734   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02735   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02736   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 388, ) }, ... 388, ) == 0x0
 02737   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 02738   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02739   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02740   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02741   388   NtClose  (396, ... ) == 0x0
 02742   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02743   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 02744   388   NtClose  (390, ... ) == 0x0
 02745   388   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 02746   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02747   388   NtAllocateVirtualMemory  (-1, 1499136, 0, 12288, 4096, 4, ... 1499136, 12288, ) == 0x0
 02748   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02749   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02750   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02751   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02752   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02753   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02754   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02755   388   NtClose  (396, ... ) == 0x0
 02756   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02757   388   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02758   388   NtClose  (390, ... ) == 0x0
 02759   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02760   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02761   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02762   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0
 02763   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02764   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02765   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02766   388   NtClose  (396, ... ) == 0x0
 02767   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02768   388   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   388   NtClose  (390, ... ) == 0x0
 02770   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02771   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02772   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02773   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0
 02774   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02775   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02776   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02777   388   NtClose  (396, ... ) == 0x0
 02778   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02779   388   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02780   388   NtClose  (390, ... ) == 0x0
 02781   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02782   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02783   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 388, ) }, ... 388, ) == 0x0
 02784   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0
 02785   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02786   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02787   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02788   388   NtClose  (396, ... ) == 0x0
 02789   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02790   388   NtQueryValueKey  (390,  (390, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02791   388   NtClose  (390, ... ) == 0x0
 02792   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 388, ) }, ... 388, ) == 0x0
 02793   388   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02794   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02795   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02796   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 396, ) }, ... 396, ) == 0x0
 02797   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02798   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02799   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02800   388   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02801   388   NtClose  (400, ... ) == 0x0
 02802   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02803   388   NtQueryValueKey  (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (398, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02804   388   NtQueryKey  (398, Name, 392, ... {Name= (398, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02805   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02806   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 400, ) == 0x0
 02807   388   NtQueryInformationToken  (400, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02808   388   NtClose  (400, ... ) == 0x0
 02809   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   388   NtQueryValueKey  (398,  (398, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   388   NtClose  (398, ... ) == 0x0
 02812   388   NtEnumerateValueKey  (388, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02813   388   NtClose  (388, ... ) == 0x0
 02814   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02815   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02816   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1232448, ... ) }, 1232448, ... ) == 0x0
 02817   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02818   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02819   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02820   388   NtQueryValueKey  (388,  (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (388, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02821   388   NtClose  (388, ... ) == 0x0
 02822   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02823   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02824   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1233476, ... ) }, 1233476, ... ) == 0x0
 02825   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02826   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02827   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02828   388   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02829   388   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02830   388   NtClose  (388, ... ) == 0x0
 02831   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234300,  (0x80100080, {24, 0, 0x40, 0, 1234300, "\??\u:\work\lnti.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02832   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 396, ) }, ... 396, ) == 0x0
 02833   388   NtQuerySymbolicLinkObject  (396, ...  (396, ... "\Device\WinDfs\U:00000000000091ad", 66, ) , 66, ) == 0x0
 02834   388   NtClose  (396, ... ) == 0x0
 02835   388   NtQueryInformationFile  (388, 1232744, 528, Name, ... {status=0x0, info=68}, ) == 0x0
 02836   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02837   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02838   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\lnti.bat"}, 1231424, ... ) }, 1231424, ... ) == 0x0
 02839   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02840   388   NtQueryDirectoryFile  (396, 0, 0, 0, 1230784, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230784, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 02841   388   NtClose  (396, ... ) == 0x0
 02842   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02843   388   NtQueryDirectoryFile  (396, 0, 0, 0, 1230784, 616, BothDirectory, 1,  (396, 0, 0, 0, 1230784, 616, BothDirectory, 1, "lnti.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02844   388   NtClose  (396, ... ) == 0x0
 02845   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02846   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02847   388   NtSetInformationFile  (388, 1234184, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02848   388   NtReadFile  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (388, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "@e", ) , ) == 0x0
 02849   388   NtWaitForSingleObject  (108, 0, 0x0, ... ) == 0x0
 02850   388   NtClearEvent  (128, ... ) == 0x0
 02851   388   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02852   388   NtWaitForSingleObject  (108, 0, 0x0, ... ) == 0x0
 02853   388   NtSetEvent  (128, ... 0x0, ) == 0x0
 02854   388   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02855   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02856   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02857   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0
 02858   388   NtClose  (396, ... ) == 0x0
 02859   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02860   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02861   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02862   388   NtClose  (396, ... ) == 0x0
 02863   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02864   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02865   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0
 02866   388   NtClose  (396, ... ) == 0x0
 02867   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02868   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02869   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0
 02870   388   NtClose  (396, ... ) == 0x0
 02871   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02872   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02873   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0
 02874   388   NtClose  (396, ... ) == 0x0
 02875   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02876   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02877   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0
 02878   388   NtClose  (396, ... ) == 0x0
 02879   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02880   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 396, ) }, ... 396, ) == 0x0
 02881   388   NtQueryValueKey  (396,  (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0
 02882   388   NtQueryValueKey  (396,  (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0
 02883   388   NtClose  (396, ... ) == 0x0
 02884   388   NtWaitForMultipleObjects  (2, (108, 128, ), 0, 0, 0x0, ... ) == 0x0
 02885   388   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 02886   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02887   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02888   388   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02889   388   NtClose  (396, ... ) == 0x0
 02890   388   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02891   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02892   388   NtClose  (396, ... ) == 0x0
 02893   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 396, ) }, ... 396, ) == 0x0
 02894   388   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02895   388   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02896   388   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02897   388   NtQueryValueKey  (396,  (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0
 02898   388   NtClose  (396, ... ) == 0x0
 02899   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 396, ) }, ... 396, ) == 0x0
 02900   388   NtQueryValueKey  (396,  (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02901   388   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02902   388   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02903   388   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02904   388   NtQueryValueKey  (396,  (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0
 02905   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rsaenh.dll"}, 1231472, ... ) }, 1231472, ... ) == 0x0
 02906   388   NtOpenKey  (0x20119, {24, 28, 0x40, 0, 0,  (0x20119, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 400, ) }, ... 400, ) == 0x0
 02907   388   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02908   388   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02909   388   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02910   388   NtQueryValueKey  (400,  (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="a\0c\00\0b\04\0d\01\00\0-\0a\02\0c\07\0-\04\0f\03\03\0-\08\0e\06\04\0-\07\08\01\0e\0b\0a\01\0f\0f\0f\0b\0b\0\0\0"}, 86, ) }, 86, ) == 0x0
 02911   388   NtClose  (400, ... ) == 0x0
 02912   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02913   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02914   388   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02915   388   NtQueryInformationToken  (400, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0
 02916   388   NtClose  (400, ... ) == 0x0
 02917   388   NtClose  (396, ... ) == 0x0
 02918   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02919   388   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02920   388   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02921   388   NtClose  (396, ... ) == 0x0
 02922   388   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02923   388   NtCreateKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02924   388   NtClose  (396, ... ) == 0x0
 02925   388   NtQueryValueKey  (400,  (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0
 02926   388   NtClose  (400, ... ) == 0x0
 02927   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02928   388   NtOpenProcessToken  (-1, 0x8, ... 400, ) == 0x0
 02929   388   NtQueryInformationToken  (400, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02930   388   NtClose  (400, ... ) == 0x0
 02931   388   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02932   388   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 396, ) }, ... 396, ) == 0x0
 02933   388   NtClose  (400, ... ) == 0x0
 02934   388   NtQueryValueKey  (396,  (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0
 02935   388   NtClose  (396, ... ) == 0x0
 02936   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02937   388   NtOpenThreadToken  (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
 02938   388   NtOpenProcessToken  (-1, 0x8, ... 396, ) == 0x0
 02939   388   NtQueryInformationToken  (396, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 02940   388   NtClose  (396, ... ) == 0x0
 02941   388   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02942   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943   388   NtClose  (396, ... ) == 0x0
 02944   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02945   388   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 388, ... 396, ) == 0x0
 02946   388   NtMapViewOfSection  (396, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xea0000), {0, 0}, 4096, ) == 0x0
 02947   388   NtClose  (396, ... ) == 0x0
 02948   388   NtQueryInformationFile  (388, 1233688, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02949   388   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02950   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02951   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02952   388   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02953   388   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02954   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 02955   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02956   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 02957   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 02958   388   NtClose  (408, ... ) == 0x0
 02959   388   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02960   388   NtClose  (404, ... ) == 0x0
 02961   388   NtClose  (400, ... ) == 0x0
 02962   388   NtClose  (396, ... ) == 0x0
 02963   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02964   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02965   388   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 404, ) }, ... 404, ) == 0x0
 02966   388   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 02967   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 408, ) }, ... 408, ) == 0x0
 02968   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02969   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 02970   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 02971   388   NtClose  (408, ... ) == 0x0
 02972   388   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02973   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02974   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02975   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02976   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02977   388   NtClose  (408, ... ) == 0x0
 02978   388   NtEnumerateKey  (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (404, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 02979   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 408, ) }, ... 408, ) == 0x0
 02980   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02981   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02982   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02983   388   NtClose  (408, ... ) == 0x0
 02984   388   NtEnumerateKey  (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (404, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 02985   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 408, ) }, ... 408, ) == 0x0
 02986   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02987   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 02988   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 02989   388   NtClose  (408, ... ) == 0x0
 02990   388   NtEnumerateKey  (404, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02991   388   NtClose  (404, ... ) == 0x0
 02992   388   NtClose  (400, ... ) == 0x0
 02993   388   NtClose  (396, ... ) == 0x0
 02994   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 396, ) }, ... 396, ) == 0x0
 02995   388   NtEnumerateKey  (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (396, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 02996   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 0"}, ... 400, ) }, ... 400, ) == 0x0
 02997   388   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... 404, ) }, ... 404, ) == 0x0
 02998   388   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, 92, ) }, 92, ) == 0x0
 02999   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "{D0BA83B0-DB49-11D2-B886-00C04F866F52}"}, ... 408, ) }, ... 408, ) == 0x0
 03000   388   NtQueryKey  (408, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03001   388   NtEnumerateValueKey  (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) , Data= (408, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0s\0f\0s\0i\0p\0c\0.\0d\0l\0l\0\0\0"}, 92, ) }, 92, ) == 0x0
 03002   388   NtEnumerateValueKey  (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) , Data= (408, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 66, ) }, 66, ) == 0x0
 03003   388   NtClose  (408, ... ) == 0x0
 03004   388   NtEnumerateKey  (404, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03005   388   NtClose  (404, ... ) == 0x0
 03006   388   NtClose  (400, ... ) == 0x0
 03007   388   NtEnumerateKey  (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (396, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03008   388   NtOpenKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "EncodingType 1"}, ... 400, ) }, ... 400, ) == 0x0
 03009   388   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010   388   NtClose  (400, ... ) == 0x0
 03011   388   NtEnumerateKey  (396, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03012   388   NtClose  (396, ... ) == 0x0
 03013   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 03014   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 03015   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 396, ... 400, ) == 0x0
 03016   388   NtClose  (396, ... ) == 0x0
 03017   388   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 16384, ) == 0x0
 03018   388   NtClose  (400, ... ) == 0x0
 03019   388   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 03020   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 1231532, ... ) }, 1231532, ... ) == 0x0
 03021   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\asfsipc.dll"}, 5, 96, ... 400, {status=0x0, info=1}, ) }, 5, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 03022   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 400, ... 396, ) == 0x0
 03023   388   NtQuerySection  (396, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03024   388   NtClose  (400, ... ) == 0x0
 03025   388   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x70eb0000), 0x0, 28672, ) == 0x0
 03026   388   NtClose  (396, ... ) == 0x0
 03027   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPT32.dll"}, 1230792, ... ) }, 1230792, ... ) == 0x0
 03028   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 03029   388   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15335424, 1048576, ) == 0x0
 03030   388   NtAllocateVirtualMemory  (-1, 16375808, 0, 8192, 4096, 4, ... 16375808, 8192, ) == 0x0
 03031   388   NtProtectVirtualMemory  (-1, (0xf9e000), 4096, 260, ... (0xf9e000), 4096, 4, ) == 0x0
 03032   388   NtCreateThread  (0x1f03ff, 0x0, -1, 1232740, 1233456, 1, ... 400, {316, 196}, ) == 0x0
 03033   388   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=316,Tid=196,}, 0x0, ) == 0x0
 03034   388   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0<\1\0\0\304\0\0\0" ... {28, 56, reply, 0, 316, 388, 2652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0<\1\0\0\304\0\0\0" )  ... {28, 56, reply, 0, 316, 388, 2652, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13} "\0\0\0\0\1\0\1\0z\25\347w\10\0\0\0\220\1\0\0<\1\0\0\304\0\0\0" ... {28, 56, reply, 0, 316, 388, 2652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\220\1\0\0<\1\0\0\304\0\0\0" )  ) == 0x0
 03035   388   NtResumeThread  (400, ... 1, ) == 0x0
 03036   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... }, ...
 03037   196   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03038   196   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03039   196   NtTestAlert  (... ) == 0x0
 03040   196   NtContinue  (16383280, 1, ...
 03041   196   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03042   196   NtWaitForMultipleObjects  (1, (396, ), 1, 0, {-150000000, -1}, ...
 03036   388   NtOpenKey  ... 404, ) == 0x0
 03043   388   NtEnumerateKey  (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name= (404, 0, Basic, 288, ... {LastWrite={0x6111bb40,0x1c73999}, TitleIdx=0, Name="EncodingType 0"}, 44, ) }, 44, ) == 0x0
 03044   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 0"}, ... 408, ) }, ... 408, ) == 0x0
 03045   388   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 412, ) }, ... 412, ) == 0x0
 03046   388   NtEnumerateKey  (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name= (412, 0, Basic, 288, ... {LastWrite={0x6f8d23ee,0x1c73999}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0
 03047   388   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 416, ) }, ... 416, ) == 0x0
 03048   388   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03049   388   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="M\0S\0I\0S\0I\0P\0.\0D\0L\0L\0\0\0"}, 50, ) }, 50, ) == 0x0
 03050   388   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="M\0s\0i\0S\0I\0P\0I\0s\0M\0y\0T\0y\0p\0e\0O\0f\0F\0i\0l\0e\0\0\0"}, 78, ) }, 78, ) == 0x0
 03051   388   NtClose  (416, ... ) == 0x0
 03052   388   NtEnumerateKey  (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 1, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03053   388   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{06C9E010-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03054   388   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03055   388   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03056   388   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03057   388   NtClose  (416, ... ) == 0x0
 03058   388   NtEnumerateKey  (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name= (412, 2, Basic, 288, ... {LastWrite={0x608e99ea,0x1c73999}, TitleIdx=0, Name="{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, 92, ) }, 92, ) == 0x0
 03059   388   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}"}, ... 416, ) }, ... 416, ) == 0x0
 03060   388   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03061   388   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03062   388   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03063   388   NtClose  (416, ... ) == 0x0
 03064   388   NtEnumerateKey  (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name= (412, 3, Basic, 288, ... {LastWrite={0x6090fc44,0x1c73999}, TitleIdx=0, Name="{1A610570-38CE-11D4-A2A3-00104BD35090}"}, 92, ) }, 92, ) == 0x0
 03065   388   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "{1A610570-38CE-11D4-A2A3-00104BD35090}"}, ... 416, ) }, ... 416, ) == 0x0
 03066   388   NtQueryKey  (416, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03067   388   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="Dll", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0e\0x\0t\0.\0d\0l\0l\0\0\0"}, 90, ) }, 90, ) == 0x0
 03068   388   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="FuncName", Data="I\0s\0F\0i\0l\0e\0S\0u\0p\0p\0o\0r\0t\0e\0d\0N\0a\0m\0e\0\0\0"}, 76, ) }, 76, ) == 0x0
 03069   388   NtClose  (416, ... ) == 0x0
 03070   388   NtEnumerateKey  (412, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03071   388   NtClose  (412, ... ) == 0x0
 03072   388   NtClose  (408, ... ) == 0x0
 03073   388   NtEnumerateKey  (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name= (404, 1, Basic, 288, ... {LastWrite={0x7492376c,0x1c73999}, TitleIdx=0, Name="EncodingType 1"}, 44, ) }, 44, ) == 0x0
 03074   388   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "EncodingType 1"}, ... 408, ) }, ... 408, ) == 0x0
 03075   388   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03076   388   NtClose  (408, ... ) == 0x0
 03077   388   NtEnumerateKey  (404, 2, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03078   388   NtClose  (404, ... ) == 0x0
 03079   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSISIP.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03080   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSISIP.DLL"}, 1231524, ... ) }, 1231524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03081   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "MSISIP.DLL"}, 1231524, ... ) }, 1231524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03082   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 1231524, ... ) }, 1231524, ... ) == 0x0
 03083   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSISIP.DLL"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 03084   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 03085   388   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03086   388   NtClose  (404, ... ) == 0x0
 03087   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x605f0000), 0x0, 53248, ) == 0x0
 03088   388   NtClose  (408, ... ) == 0x0
 03089   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03090   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16384000, 65536, ) == 0x0
 03091   388   NtAllocateVirtualMemory  (-1, 16384000, 0, 4096, 4096, 4, ... 16384000, 4096, ) == 0x0
 03092   388   NtAllocateVirtualMemory  (-1, 16388096, 0, 8192, 4096, 4, ... 16388096, 8192, ) == 0x0
 03093   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1231112, ... ) }, 1231112, ... ) == 0x0
 03094   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03095   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 404, ) == 0x0
 03096   388   NtClose  (408, ... ) == 0x0
 03097   388   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 262144, ) == 0x0
 03098   388   NtClose  (404, ... ) == 0x0
 03099   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03100   388   NtAllocateLocallyUniqueId  (... {105934, 0}, ) == 0x0
 03101   388   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 03102   388   NtOpenProcessToken  (-1, 0x20008, ... 404, ) == 0x0
 03103   388   NtQueryInformationToken  (404, User, 52, ... {token info, class 1, size 36}, 36, ) == 0x0
 03104   388   NtClose  (404, ... ) == 0x0
 03105   388   NtCreateSection  (0xf0007, {24, 52, 0x80, 1232432, 0,  (0xf0007, {24, 52, 0x80, 1232432, 0, "DfSharedHeap19DCE"}, {4194304, 0}, 4, 67108864, 0, ... 404, ) }, {4194304, 0}, 4, 67108864, 0, ... 404, ) == 0x0
 03106   388   NtMapViewOfSection  (404, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1000000), {0, 0}, 4194304, ) == 0x0
 03107   388   NtAllocateVirtualMemory  (-1, 16777216, 0, 16376, 4096, 4, ... 16777216, 16384, ) == 0x0
 03108   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1229948,  (0x80100080, {24, 0, 0x40, 0, 1229948, "\??\UNC\missouri\binaries\work\lnti.bat"}, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 2144, 0, 0, ... 408, {status=0x0, info=1}, ) == 0x0
 03109   388   NtReadFile  (408, 0, 0, 1232652, 512, {0, 0}, 0, ... {status=0x0, info=120},  (408, 0, 0, 1232652, 512, {0, 0}, 0, ... {status=0x0, info=120}, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del lnti.bat\15\12", ) , ) == 0x0
 03110   388   NtClose  (408, ... ) == 0x0
 03111   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 03112   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03113   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ... 412, ) == 0x0
 03114   388   NtClose  (408, ... ) == 0x0
 03115   388   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 69632, ) == 0x0
 03116   388   NtClose  (412, ... ) == 0x0
 03117   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03118   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 1231532, ... ) }, 1231532, ... ) == 0x0
 03119   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshext.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03120   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 408, ) == 0x0
 03121   388   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03122   388   NtClose  (412, ... ) == 0x0
 03123   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74ea0000), 0x0, 65536, ) == 0x0
 03124   388   NtClose  (408, ... ) == 0x0
 03125   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 408, ) }, ... 408, ) == 0x0
 03126   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 03127   388   NtClose  (408, ... ) == 0x0
 03128   388   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 03129   388   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 03130   388   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 03131   388   NtProtectVirtualMemory  (-1, (0x74eaa000), 672, 4, ... (0x74eaa000), 4096, 2, ) == 0x0
 03132   388   NtProtectVirtualMemory  (-1, (0x74eaa000), 4096, 2, ... (0x74eaa000), 4096, 4, ) == 0x0
 03133   388   NtFlushInstructionCache  (-1, 1961533440, 672, ... ) == 0x0
 03134   388   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 03135   388   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 03136   388   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 03137   388   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03138   388   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03139   388   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03140   388   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03141   388   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03142   388   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 03143   388   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 03144   388   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 03145   388   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 03146   388   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 03147   388   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 03148   388   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03149   388   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 03150   388   NtOpenProcessToken  (-1, 0x8, ... 408, ) == 0x0
 03151   388   NtQueryInformationToken  (408, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03152   388   NtClose  (408, ... ) == 0x0
 03153   388   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03154   388   NtReleaseMutant  (16, ...
 03155   388   NtContinue  (-130776952, 0, ...
 03154   388   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03156   388   NtQueryDefaultLocale  (1, 1230212, ... ) == 0x0
 03157   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228204, ... ) }, 1228204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03158   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228520, ... ) }, 1228520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03160   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03163   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03164   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03168   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228204, ... ) }, 1228204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03169   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228520, ... ) }, 1228520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshEN.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03171   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03172   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03174   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03176   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03178   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshEN.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   388   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 03180   388   NtReleaseMutant  (16, ...
 03181   388   NtContinue  (-130776952, 0, ...
 03180   388   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 03182   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228204, ... ) }, 1228204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03183   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228520, ... ) }, 1228520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03184   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wshENU.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03187   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03188   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03191   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\wshENU.DLL"}, 1228512, ... ) }, 1228512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193   388   NtClose  (388, ... ) == 0x0
 03194   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 03195   388   NtQueryValueKey  (388,  (388, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03196   388   NtClose  (388, ... ) == 0x0
 03197   388   NtOpenThreadToken  (-2, 0x2000a, 1, ... ) == STATUS_NO_TOKEN
 03198   388   NtOpenProcessToken  (-1, 0x2000a, ... 388, ) == 0x0
 03199   388   NtQueryInformationToken  (388, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03200   388   NtQueryInformationToken  (388, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03201   388   NtClose  (388, ... ) == 0x0
 03202   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03203   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03204   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03205   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03207   388   NtQueryValueKey  (388,  (388, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03208   388   NtClose  (388, ... ) == 0x0
 03209   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03210   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03211   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03212   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 388, ) }, ... 388, ) == 0x0
 03213   388   NtQueryValueKey  (388,  (388, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03214   388   NtClose  (388, ... ) == 0x0
 03215   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 03216   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03217   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 388, ) }, ... 388, ) == 0x0
 03218   388   NtQueryKey  (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03219   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03220   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 408, ) == 0x0
 03221   388   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03222   388   NtClose  (408, ... ) == 0x0
 03223   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03224   388   NtQueryValueKey  (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03225   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1230820, ... ) }, 1230820, ... ) == 0x0
 03226   388   NtClose  (390, ... ) == 0x0
 03227   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03228   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 388, {status=0x0, info=1}, ) }, 3, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03229   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 408, ) }, ... 408, ) == 0x0
 03230   388   NtQuerySymbolicLinkObject  (408, ...  (408, ... "\Device\WinDfs\U:00000000000091ad", 66, ) , 66, ) == 0x0
 03231   388   NtClose  (408, ... ) == 0x0
 03232   388   NtQueryVolumeInformationFile  (388, 1234172, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03233   388   NtClose  (388, ... ) == 0x0
 03234   388   NtWaitForSingleObject  (116, 0, {0, 0}, ... ) == 0x102
 03235   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 388, ) }, ... 388, ) == 0x0
 03236   388   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 408, ) }, ... 408, ) == 0x0
 03237   388   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03238   388   NtQueryValueKey  (408,  (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 03239   388   NtClose  (408, ... ) == 0x0
 03240   388   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03241   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03242   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03243   388   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03244   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03245   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 03246   388   NtClose  (408, ... ) == 0x0
 03247   388   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03248   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03249   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03250   388   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03251   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03252   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03253   388   NtClose  (408, ... ) == 0x0
 03254   388   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03255   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03256   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03257   388   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03258   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03259   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03260   388   NtClose  (408, ... ) == 0x0
 03261   388   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 408, ) }, ... 408, ) == 0x0
 03262   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03263   388   NtQueryValueKey  (408,  (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03264   388   NtQueryValueKey  (408,  (408, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03265   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03266   388   NtQueryValueKey  (408,  (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 03267   388   NtClose  (408, ... ) == 0x0
 03268   388   NtClose  (388, ... ) == 0x0
 03269   388   NtQueryDefaultLocale  (1, 1233724, ... ) == 0x0
 03270   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231736, ... ) }, 1231736, ... ) == 0x0
 03271   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03272   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03273   388   NtClose  (388, ... ) == 0x0
 03274   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 12288, ) == 0x0
 03275   388   NtClose  (408, ... ) == 0x0
 03276   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03277   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1232052, ... ) }, 1232052, ... ) == 0x0
 03278   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03279   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03280   388   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03281   388   NtClose  (408, ... ) == 0x0
 03282   388   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 03283   388   NtClose  (388, ... ) == 0x0
 03284   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 388, ) }, ... 388, ) == 0x0
 03285   388   NtQueryValueKey  (388,  (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 03286   388   NtClose  (388, ... ) == 0x0
 03287   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231736, ... ) }, 1231736, ... ) == 0x0
 03288   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03289   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 408, ) == 0x0
 03290   388   NtClose  (388, ... ) == 0x0
 03291   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 40960, ) == 0x0
 03292   388   NtClose  (408, ... ) == 0x0
 03293   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03294   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1232052, ... ) }, 1232052, ... ) == 0x0
 03295   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03296   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03297   388   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03298   388   NtClose  (408, ... ) == 0x0
 03299   388   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 03300   388   NtClose  (388, ... ) == 0x0
 03301   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03302   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 03303   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03304   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03305   388   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03306   388   NtClose  (388, ... ) == 0x0
 03307   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 03308   388   NtClose  (408, ... ) == 0x0
 03309   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03310   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 03311   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03312   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03313   388   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03314   388   NtClose  (408, ... ) == 0x0
 03315   388   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 03316   388   NtClose  (388, ... ) == 0x0
 03317   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03318   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1230436, ... ) }, 1230436, ... ) == 0x0
 03319   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 03320   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 408, ) == 0x0
 03321   388   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03322   388   NtClose  (388, ... ) == 0x0
 03323   388   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 03324   388   NtClose  (408, ... ) == 0x0
 03325   388   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03326   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1230436, ... ) }, 1230436, ... ) == 0x0
 03327   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 03328   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 388, ) == 0x0
 03329   388   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03330   388   NtClose  (408, ... ) == 0x0
 03331   388   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 03332   388   NtClose  (388, ... ) == 0x0
 03333   388   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 03334   388   NtQueryValueKey  (388,  (388, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03335   388   NtAllocateVirtualMemory  (-1, 3313664, 0, 4096, 4096, 4, ... 3313664, 4096, ) == 0x0
 03336   388   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 408, ) == 0x0
 03337   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231736, ... ) }, 1231736, ... ) == 0x0
 03338   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03339   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03340   388   NtClose  (412, ... ) == 0x0
 03341   388   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 24576, ) == 0x0
 03342   388   NtClose  (416, ... ) == 0x0
 03343   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03344   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1232052, ... ) }, 1232052, ... ) == 0x0
 03345   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03346   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03347   388   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03348   388   NtClose  (416, ... ) == 0x0
 03349   388   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 03350   388   NtClose  (412, ... ) == 0x0
 03351   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 412, ) }, ... 412, ) == 0x0
 03352   388   NtQueryValueKey  (412,  (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 03353   388   NtClose  (412, ... ) == 0x0
 03354   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231728, ... ) }, 1231728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03355   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231728, ... ) }, 1231728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03356   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231728, ... ) }, 1231728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03357   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231728, ... ) }, 1231728, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03358   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231728, ... ) }, 1231728, ... ) == 0x0
 03359   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 03360   388   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 412, ... 416, ) == 0x0
 03361   388   NtClose  (412, ... ) == 0x0
 03362   388   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfb0000), 0x0, 122880, ) == 0x0
 03363   388   NtClose  (416, ... ) == 0x0
 03364   388   NtUnmapViewOfSection  (-1, 0xfb0000, ... ) == 0x0
 03365   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1232044, ... ) }, 1232044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03366   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1232044, ... ) }, 1232044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03367   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1232044, ... ) }, 1232044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03368   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1232044, ... ) }, 1232044, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03369   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1232044, ... ) }, 1232044, ... ) == 0x0
 03370   388   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 03371   388   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 03372   388   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03373   388   NtClose  (416, ... ) == 0x0
 03374   388   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xfb0000), 0x0, 131072, ) == STATUS_IMAGE_NOT_AT_BASE
 03375   388   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 4, ... (0xfb1000), 81920, 32, ) == 0x0
 03376   388   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 4, ... (0xfc5000), 12288, 2, ) == 0x0
 03377   388   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 4, ... (0xfce000), 8192, 2, ) == 0x0
 03378   388   NtMapViewOfSection  (412, -1, (0xfb0000), 0, 0, 0x0, 131072, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 03379   388   NtProtectVirtualMemory  (-1, (0xfb1000), 81920, 16, ... (0xfb1000), 81920, 4, ) == 0x0
 03380   388   NtProtectVirtualMemory  (-1, (0xfc5000), 12288, 2, ... (0xfc5000), 12288, 4, ) == 0x0
 03381   388   NtProtectVirtualMemory  (-1, (0xfce000), 8192, 2, ... (0xfce000), 8192, 8, ) == 0x0
 03382   388   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 03383   388   NtClose  (412, ... ) == 0x0
 03384   388   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03385   388   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03386   388   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03387   388   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03388   388   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03389   388   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03390   388   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03391   388   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03392   388   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03393   388   NtProtectVirtualMemory  (-1, (0xfc5000), 416, 4, ... (0xfc5000), 4096, 2, ) == 0x0
 03394   388   NtProtectVirtualMemory  (-1, (0xfc5000), 4096, 2, ... (0xfc5000), 4096, 4, ) == 0x0
 03395   388   NtFlushInstructionCache  (-1, 16535552, 416, ... ) == 0x0
 03396   388   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03397   388   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16580608, 65536, ) == 0x0
 03398   388   NtAllocateVirtualMemory  (-1, 16580608, 0, 4096, 4096, 4, ... 16580608, 4096, ) == 0x0
 03399   388   NtAllocateVirtualMemory  (-1, 16584704, 0, 8192, 4096, 4, ... 16584704, 8192, ) == 0x0
 03400   388   NtAllocateVirtualMemory  (-1, 16592896, 0, 4096, 4096, 4, ... 16592896, 4096, ) == 0x0
 03401   388   NtQueryPerformanceCounter  (... {326978133, 0}, {3579545, 0}, ) == 0x0
 03402   388   NtRaiseException  (1231536, 1230796, 1, ...
 03403   388   NtContinue  (1229592, 0, ...
 03404   388   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 412, ) }, ... 412, ) == 0x0
 03405   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03406   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03407   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03408   388   NtRaiseException  (1221512, 1220772, 1, ...
 03409   388   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 03410   388   NtContinue  (1219568, 0, ...
 03411   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03412   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03413   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03414   388   NtRaiseException  (1223272, 1222532, 1, ...
 03415   388   NtContinue  (1221328, 0, ...
 03416   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03417   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03418   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03419   388   NtRaiseException  (1223276, 1222536, 1, ...
 03420   388   NtContinue  (1221332, 0, ...
 03421   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03422   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03423   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03424   388   NtRaiseException  (1223272, 1222532, 1, ...
 03425   388   NtContinue  (1221328, 0, ...
 03426   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03427   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03428   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03429   388   NtRaiseException  (1223276, 1222536, 1, ...
 03430   388   NtContinue  (1221332, 0, ...
 03431   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03432   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03433   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03434   388   NtRaiseException  (1223272, 1222532, 1, ...
 03435   388   NtContinue  (1221328, 0, ...
 03436   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03437   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03438   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03439   388   NtRaiseException  (1223276, 1222536, 1, ...
 03440   388   NtContinue  (1221332, 0, ...
 03441   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03442   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03443   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03444   388   NtRaiseException  (1223272, 1222532, 1, ...
 03445   388   NtContinue  (1221328, 0, ...
 03446   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03447   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03448   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03449   388   NtRaiseException  (1223276, 1222536, 1, ...
 03450   388   NtContinue  (1221332, 0, ...
 03451   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03452   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03453   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03454   388   NtRaiseException  (1223272, 1222532, 1, ...
 03455   388   NtContinue  (1221328, 0, ...
 03456   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03457   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03458   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03459   388   NtRaiseException  (1223276, 1222536, 1, ...
 03460   388   NtContinue  (1221332, 0, ...
 03461   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03462   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03463   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03464   388   NtRaiseException  (1223272, 1222532, 1, ...
 03465   388   NtContinue  (1221328, 0, ...
 03466   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03467   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03468   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03469   388   NtRaiseException  (1223276, 1222536, 1, ...
 03470   388   NtContinue  (1221332, 0, ...
 03471   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03472   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03474   388   NtRaiseException  (1223272, 1222532, 1, ...
 03475   388   NtContinue  (1221328, 0, ...
 03476   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03477   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03479   388   NtRaiseException  (1223276, 1222536, 1, ...
 03480   388   NtContinue  (1221332, 0, ...
 03481   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03482   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03483   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03484   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1231704, ... ) }, 1231704, ... ) == 0x0
 03485   388   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 416, ) == 0x0
 03486   388   NtQueryInformationProcess  (416, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 03487   388   NtClose  (416, ... ) == 0x0
 03488   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1231704, ... ) }, 1231704, ... ) == 0x0
 03489   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03490   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03491   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03492   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03493   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230752,  (0xc0100080, {24, 0, 0x40, 0, 1230752, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03494   388   NtSetInformationFile  (420, 1230808, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03495   388   NtSetInformationFile  (420, 1230800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03496   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03497   388   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03498   388   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03499   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03500   388   NtClose  (416, ... ) == 0x0
 03501   388   NtClose  (420, ... ) == 0x0
 03502   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03503   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03504   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03505   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03506   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1230752,  (0xc0100080, {24, 0, 0x40, 0, 1230752, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03507   388   NtSetInformationFile  (416, 1230808, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03508   388   NtSetInformationFile  (416, 1230800, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03509   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03510   388   NtWriteFile  (416, 253, 0, 0,  (416, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03511   388   NtReadFile  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\234"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03512   388   NtFsControlFile  (416, 253, 0x0, 0x0, 0x11c017,  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\234"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (416, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\234"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03513   388   NtClose  (420, ... ) == 0x0
 03514   388   NtClose  (416, ... ) == 0x0
 03515   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 03516   388   NtQueryKey  (416, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 03517   388   NtQuerySecurityObject  (416, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03518   388   NtQuerySecurityObject  (416, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03519   388   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 03520   388   NtClose  (416, ... ) == 0x0
 03521   388   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03522   388   NtFsControlFile  (416, 0, 0x0, 0x0, 0x600bc,  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (416, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03523   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03524   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03525   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03526   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03527   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232192,  (0xc0100080, {24, 0, 0x40, 0, 1232192, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03528   388   NtSetInformationFile  (424, 1232248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03529   388   NtSetInformationFile  (424, 1232240, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03530   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03531   388   NtWriteFile  (424, 253, 0, 0,  (424, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03532   388   NtReadFile  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (424, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03533   388   NtFsControlFile  (424, 253, 0x0, 0x0, 0x11c017,  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\250\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (424, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\250\323\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03534   388   NtClose  (420, ... ) == 0x0
 03535   388   NtClose  (424, ... ) == 0x0
 03536   388   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03537   388   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03538   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1231704, ... ) }, 1231704, ... ) == 0x0
 03539   388   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 424, ) }, ... 424, ) == 0x0
 03540   388   NtWaitForSingleObject  (424, 0, {-1800000000, -1}, ... ) == 0x0
 03541   388   NtClose  (424, ... ) == 0x0
 03542   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03543   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03544   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03545   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03546   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232228,  (0xc0100080, {24, 0, 0x40, 0, 1232228, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03547   388   NtSetInformationFile  (420, 1232284, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03548   388   NtSetInformationFile  (420, 1232276, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03549   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03550   388   NtWriteFile  (420, 253, 0, 0,  (420, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03551   388   NtReadFile  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03552   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03553   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03554   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03555   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\262\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03556   388   NtFsControlFile  (420, 253, 0x0, 0x0, 0x11c017,  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (420, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\263\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03557   388   NtClose  (424, ... ) == 0x0
 03558   388   NtClose  (420, ... ) == 0x0
 03559   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1231696, ... ) }, 1231696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03560   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "system32\hgfs1.dll"}, 1231696, ... ) }, 1231696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03561   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1231696, ... ) }, 1231696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03562   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1231696, ... ) }, 1231696, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03563   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1231696, ... ) }, 1231696, ... ) == 0x0
 03564   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03565   388   NtQueryValueKey  (420,  (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 03566   388   NtClose  (420, ... ) == 0x0
 03567   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03568   388   NtQueryValueKey  (420,  (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 03569   388   NtClose  (420, ... ) == 0x0
 03570   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 420, ) }, ... 420, ) == 0x0
 03571   388   NtQueryValueKey  (420,  (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03572   388   NtClose  (420, ... ) == 0x0
 03573   388   NtRaiseException  (1222196, 1221456, 1, ...
 03574   388   NtContinue  (1220252, 0, ...
 03575   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03576   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03577   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03578   388   NtRaiseException  (1222192, 1221452, 1, ...
 03579   388   NtContinue  (1220248, 0, ...
 03580   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03581   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03583   388   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1232860, 0,  (0x1f0001, {24, 52, 0x80, 1232860, 0, "HGFSMUTEX"}, 1, ... 420, ) }, 1, ... 420, ) == STATUS_OBJECT_NAME_EXISTS
 03584   388   NtWaitForSingleObject  (420, 0, 0x0, ... ) == 0x0
 03585   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "HGFSMEMORY"}, ... 424, ) }, ... 424, ) == 0x0
 03586   388   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xfe0000), {0, 0}, 28672, ) == 0x0
 03587   388   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 03588   388   NtRaiseException  (1223248, 1222508, 1, ...
 03589   388   NtContinue  (1221304, 0, ...
 03590   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03591   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03592   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03593   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1233904, 1233492,  (0xc0100080, {24, 0, 0x40, 1233904, 1233492, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 03594   388   NtDeviceIoControlFile  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (428, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 03595   388   NtClose  (428, ... ) == 0x0
 03596   388   NtRaiseException  (1223228, 1222488, 1, ...
 03597   388   NtContinue  (1221284, 0, ...
 03598   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03599   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03600   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03601   388   NtRaiseException  (1223248, 1222508, 1, ...
 03602   388   NtContinue  (1221304, 0, ...
 03603   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 03604   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03605   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 03606   388   NtAllocateVirtualMemory  (-1, 1511424, 0, 20480, 4096, 4, ... 1511424, 20480, ) == 0x0
 03607   388   NtAllocateVirtualMemory  (-1, 1531904, 0, 20480, 4096, 4, ... 1531904, 20480, ) == 0x0
 03608   388   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03609   388   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03610   388   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 428, ) }, ... 428, ) == 0x0
 03611   388   NtWaitForSingleObject  (428, 0, {-1800000000, -1}, ... ) == 0x0
 03612   388   NtClose  (428, ... ) == 0x0
 03613   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03614   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 03615   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03616   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03617   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232168,  (0xc0100080, {24, 0, 0x40, 0, 1232168, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03618   388   NtSetInformationFile  (432, 1232224, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03619   388   NtSetInformationFile  (432, 1232216, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03620   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03621   388   NtWriteFile  (432, 253, 0, 0,  (432, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03622   388   NtReadFile  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03623   388   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20I!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03624   388   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03625   388   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03626   388   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\264\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03627   388   NtFsControlFile  (432, 253, 0x0, 0x0, 0x11c017,  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (432, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\265\301\257\274\316~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03628   388   NtClose  (428, ... ) == 0x0
 03629   388   NtClose  (432, ... ) == 0x0
 03630   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03631   388   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03632   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03633   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03634   388   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1232260,  (0xc0100080, {24, 0, 0x40, 0, 1232260, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03635   388   NtSetInformationFile  (428, 1232316, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03636   388   NtSetInformationFile  (428, 1232308, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03637   388   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03638   388   NtWriteFile  (428, 253, 0, 0,  (428, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03639   388   NtReadFile  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (428, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\33(\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03640   388   NtFsControlFile  (428, 253, 0x0, 0x0, 0x11c017,  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\33(\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (428, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\33(\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03641   388   NtClose  (432, ... ) == 0x0
 03642   388   NtClose  (428, ... ) == 0x0
 03643   388   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03644   388   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03645   388   NtClose  (428, ... ) == 0x0
 03646   388   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03647   388   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03648   388   NtClose  (428, ... ) == 0x0
 03649   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03650   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03651   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03652   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03653   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03654   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03655   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03656   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03657   388   NtCreateKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03658   388   NtSetValueKey  (428,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (428, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 03659   388   NtClose  (428, ... ) == 0x0
 03660   388   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 428, ) }, ... 428, ) == 0x0
 03661   388   NtQueryValueKey  (428,  (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03662   388   NtClose  (428, ... ) == 0x0
 03663   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03664   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03665   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03666   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 03669   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03670   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03671   388   NtWaitForSingleObject  (408, 0, {-70000000, -1}, ... ) == 0x0
 03672   388   NtReleaseSemaphore  (408, 1, ... 0x0, ) == 0x0
 03673   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03674   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03675   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03676   388   NtClose  (428, ... ) == 0x0
 03677   388   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03678   388   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Network"}, ... 432, ) }, ... 432, ) == 0x0
 03679   388   NtClose  (428, ... ) == 0x0
 03680   388   NtQueryKey  (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (432, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 03681   388   NtQuerySecurityObject  (432, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 03682   388   NtQuerySecurityObject  (432, 15, 0, ... ) == STATUS_ACCESS_DENIED
 03683   388   NtWaitForSingleObject  (116, 0, {0, 0}, ... ) == 0x102
 03684   388   NtEnumerateKey  (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (432, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 03685   388   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "f"}, ... 428, ) }, ... 428, ) == 0x0
 03686   388   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03687   388   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03688   388   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03689   388   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03690   388   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03691   388   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03692   388   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03693   388   NtClose  (428, ... ) == 0x0
 03694   388   NtEnumerateKey  (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (432, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 03695   388   NtOpenKey  (0x2001f, {24, 432, 0x40, 0, 0,  (0x2001f, {24, 432, 0x40, 0, 0, "u"}, ... 428, ) }, ... 428, ) == 0x0
 03696   388   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03697   388   NtQueryValueKey  (428,  (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 03698   388   NtQueryValueKey  (428,  (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03699   388   NtQueryValueKey  (428,  (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 03700   388   NtQueryValueKey  (428,  (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03701   388   NtQueryValueKey  (428,  (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 03702   388   NtQueryValueKey  (428,  (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (428, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03703   388   NtClose  (428, ... ) == 0x0
 03704   388   NtClose  (432, ... ) == 0x0
 03705   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03706   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03707   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03708   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03709   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03710   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03711   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 432, ) }, ... 432, ) == 0x0
 03712   388   NtQueryKey  (434, Name, 392, ... {Name= (434, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03713   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03714   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03715   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03716   388   NtClose  (428, ... ) == 0x0
 03717   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03718   388   NtEnumerateKey  (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (434, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03719   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03720   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03721   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 428, ) }, ... 428, ) == 0x0
 03722   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03723   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03724   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03725   388   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03726   388   NtClose  (436, ... ) == 0x0
 03727   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03728   388   NtQueryValueKey  (430,  (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (430, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03729   388   NtClose  (430, ... ) == 0x0
 03730   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03731   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 428, {status=0x0, info=1}, ) }, 3, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 03732   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 436, ) }, ... 436, ) == 0x0
 03733   388   NtQuerySymbolicLinkObject  (436, ...  (436, ... "\Device\WinDfs\U:00000000000091ad", 66, ) , 66, ) == 0x0
 03734   388   NtClose  (436, ... ) == 0x0
 03735   388   NtQueryVolumeInformationFile  (428, 1233580, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03736   388   NtClose  (428, ... ) == 0x0
 03737   388   NtEnumerateKey  (434, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03738   388   NtClose  (434, ... ) == 0x0
 03739   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03740   388   NtQueryDirectoryFile  (432, 0, 0, 0, 1232372, 616, BothDirectory, 1,  (432, 0, 0, 0, 1232372, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03741   388   NtClose  (432, ... ) == 0x0
 03742   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03743   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03744   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 432, ) }, ... 432, ) == 0x0
 03745   388   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03746   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03747   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03748   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03749   388   NtClose  (428, ... ) == 0x0
 03750   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03751   388   NtOpenKey  (0x1, {24, 434, 0x40, 0, 0,  (0x1, {24, 434, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03752   388   NtQueryKey  (434, Name, 384, ... {Name= (434, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03753   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03754   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 03755   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03756   388   NtClose  (428, ... ) == 0x0
 03757   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03758   388   NtOpenKey  (0x2000000, {24, 434, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 03759   388   NtClose  (434, ... ) == 0x0
 03760   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03761   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03762   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03763   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03764   388   NtQueryValueKey  (432,  (432, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03765   388   NtClose  (432, ... ) == 0x0
 03766   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03767   388   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0, ""}, ... 432, ) == 0x0
 03768   388   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03769   388   NtQueryValueKey  (432,  (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (432, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 03770   388   NtClose  (432, ... ) == 0x0
 03771   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03772   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03773   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03774   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03775   388   NtQueryValueKey  (432,  (432, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03776   388   NtClose  (432, ... ) == 0x0
 03777   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03778   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03779   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03780   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03781   388   NtQueryValueKey  (432,  (432, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03782   388   NtClose  (432, ... ) == 0x0
 03783   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03784   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03785   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03786   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03787   388   NtQueryValueKey  (432,  (432, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03788   388   NtClose  (432, ... ) == 0x0
 03789   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03790   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03791   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03792   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03793   388   NtQueryValueKey  (432,  (432, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03794   388   NtClose  (432, ... ) == 0x0
 03795   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03796   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03797   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03798   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03799   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03800   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03801   388   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03802   388   NtClose  (432, ... ) == 0x0
 03803   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03804   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03805   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03806   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03807   388   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03808   388   NtClose  (432, ... ) == 0x0
 03809   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03810   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03811   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03812   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 432, ) }, ... 432, ) == 0x0
 03813   388   NtQueryValueKey  (432,  (432, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03814   388   NtClose  (432, ... ) == 0x0
 03815   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03816   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03817   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03818   388   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "Advanced"}, ... 432, ) }, ... 432, ) == 0x0
 03819   388   NtQueryValueKey  (432,  (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 03820   388   NtQueryValueKey  (432,  (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03821   388   NtQueryValueKey  (432,  (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03822   388   NtQueryValueKey  (432,  (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03823   388   NtQueryValueKey  (432,  (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03824   388   NtQueryValueKey  (432,  (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03825   388   NtQueryValueKey  (432,  (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03826   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03827   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03828   388   NtQueryValueKey  (432,  (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03829   388   NtQueryValueKey  (432,  (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03830   388   NtQueryValueKey  (432,  (432, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03831   388   NtQueryValueKey  (432,  (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (432, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03832   388   NtQueryValueKey  (432,  (432, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03833   388   NtClose  (432, ... ) == 0x0
 03834   388   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1329880, 0,  (0x1f0003, {24, 52, 0x80, 1329880, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 432, ) }, 0, 2147483647, ... 432, ) == STATUS_OBJECT_NAME_EXISTS
 03835   388   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03836   388   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03837   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03838   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03839   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03840   388   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03841   388   NtClose  (436, ... ) == 0x0
 03842   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03843   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03844   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03845   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03846   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03847   388   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03848   388   NtClose  (436, ... ) == 0x0
 03849   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03850   388   NtQueryValueKey  (430,  (430, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03851   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03852   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03853   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03854   388   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03855   388   NtClose  (436, ... ) == 0x0
 03856   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03857   388   NtQueryValueKey  (430,  (430, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03858   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03859   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03860   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03861   388   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03862   388   NtClose  (436, ... ) == 0x0
 03863   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03864   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03865   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03866   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03867   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 436, ) }, ... 436, ) == 0x0
 03868   388   NtQueryKey  (438, Name, 384, ... {Name= (438, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 03869   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03870   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03871   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03872   388   NtClose  (440, ... ) == 0x0
 03873   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03874   388   NtOpenKey  (0x1, {24, 438, 0x40, 0, 0,  (0x1, {24, 438, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03875   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03876   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03877   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03878   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03879   388   NtClose  (440, ... ) == 0x0
 03880   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03881   388   NtQueryValueKey  (430,  (430, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03882   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03883   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03884   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03885   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03886   388   NtClose  (440, ... ) == 0x0
 03887   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03888   388   NtQueryValueKey  (430,  (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (430, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03889   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 03890   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03891   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03892   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03893   388   NtClose  (440, ... ) == 0x0
 03894   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03895   388   NtQueryValueKey  (430,  (430, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03896   388   NtClose  (430, ... ) == 0x0
 03897   388   NtClose  (438, ... ) == 0x0
 03898   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\work\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03899   388   NtQueryDirectoryFile  (436, 0, 0, 0, 1232300, 616, BothDirectory, 1,  (436, 0, 0, 0, 1232300, 616, BothDirectory, 1, "lnti.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03900   388   NtClose  (436, ... ) == 0x0
 03901   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03902   388   NtOpenKey  (0x2000000, {24, 260, 0x40, 0, 0,  (0x2000000, {24, 260, 0x40, 0, 0, "FileExts"}, ... 436, ) }, ... 436, ) == 0x0
 03903   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03904   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03905   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03906   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03907   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03908   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 428, ) }, ... 428, ) == 0x0
 03909   388   NtQueryKey  (430, Name, 392, ... {Name= (430, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03910   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03911   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03912   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03913   388   NtClose  (440, ... ) == 0x0
 03914   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03915   388   NtQueryValueKey  (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (430, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 03916   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03917   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03918   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 440, ) }, ... 440, ) == 0x0
 03919   388   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03920   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03921   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03922   388   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03923   388   NtClose  (444, ... ) == 0x0
 03924   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03925   388   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   388   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03927   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03928   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 03929   388   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03930   388   NtClose  (444, ... ) == 0x0
 03931   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03932   388   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0, ""}, ... 444, ) == 0x0
 03933   388   NtClose  (442, ... ) == 0x0
 03934   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 03935   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 03936   388   NtReleaseSemaphore  (432, 1, ... 0, ) == 0x0
 03937   388   NtWaitForSingleObject  (432, 0, {0, 0}, ... ) == 0x0
 03938   388   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03939   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03940   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03941   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03942   388   NtClose  (440, ... ) == 0x0
 03943   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03944   388   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03945   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03946   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03947   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03948   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 03949   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03950   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 03951   388   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 03952   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03953   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03954   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03955   388   NtClose  (448, ... ) == 0x0
 03956   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957   388   NtQueryValueKey  (442,  (442, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03958   388   NtClose  (442, ... ) == 0x0
 03959   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03960   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03961   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03962   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03963   388   NtClose  (440, ... ) == 0x0
 03964   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03965   388   NtQueryValueKey  (446,  (446, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03967   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03968   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03969   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03970   388   NtClose  (440, ... ) == 0x0
 03971   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03972   388   NtQueryValueKey  (446,  (446, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03973   388   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03974   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03975   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 03976   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03977   388   NtClose  (440, ... ) == 0x0
 03978   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03979   388   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03980   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03981   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03982   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 440, ) }, ... 440, ) == 0x0
 03983   388   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 03984   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03985   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03986   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03987   388   NtClose  (448, ... ) == 0x0
 03988   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03989   388   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03990   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03991   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03992   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 03993   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03994   388   NtClose  (448, ... ) == 0x0
 03995   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03996   388   NtQueryValueKey  (446,  (446, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03997   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 03998   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03999   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04000   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04001   388   NtClose  (448, ... ) == 0x0
 04002   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04003   388   NtQueryValueKey  (446,  (446, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04004   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04005   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04006   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04007   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04008   388   NtClose  (448, ... ) == 0x0
 04009   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04010   388   NtQueryValueKey  (446,  (446, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04011   388   NtClose  (430, ... ) == 0x0
 04012   388   NtClose  (446, ... ) == 0x0
 04013   388   NtClose  (442, ... ) == 0x0
 04014   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04015   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04016   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04017   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04018   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04019   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04020   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 440, ) }, ... 440, ) == 0x0
 04021   388   NtQueryKey  (442, Name, 392, ... {Name= (442, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04022   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04023   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04024   388   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04025   388   NtClose  (444, ... ) == 0x0
 04026   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04027   388   NtQueryValueKey  (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (442, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04028   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04029   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04030   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 444, ) }, ... 444, ) == 0x0
 04031   388   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04032   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04033   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04034   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04035   388   NtClose  (428, ... ) == 0x0
 04036   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04037   388   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04038   388   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04039   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04040   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04041   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04042   388   NtClose  (428, ... ) == 0x0
 04043   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04044   388   NtOpenKey  (0x2000000, {24, 446, 0x40, 0, 0, ""}, ... 428, ) == 0x0
 04045   388   NtClose  (446, ... ) == 0x0
 04046   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04047   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04048   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04049   388   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04050   388   NtClose  (444, ... ) == 0x0
 04051   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04052   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04053   388   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 04054   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04055   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 444, ) == 0x0
 04056   388   NtQueryInformationToken  (444, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04057   388   NtClose  (444, ... ) == 0x0
 04058   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04059   388   NtOpenKey  (0x1, {24, 442, 0x40, 0, 0,  (0x1, {24, 442, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04060   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04061   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04062   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04063   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 04064   388   NtOpenKey  (0x1, {24, 274, 0x40, 0, 0,  (0x1, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04065   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04066   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04067   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04068   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04069   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04070   388   NtClose  (448, ... ) == 0x0
 04071   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04072   388   NtQueryValueKey  (446,  (446, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04073   388   NtClose  (446, ... ) == 0x0
 04074   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04075   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04076   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 444, ) }, ... 444, ) == 0x0
 04077   388   NtQueryKey  (446, Name, 384, ... {Name= (446, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 04078   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04079   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04080   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04081   388   NtClose  (448, ... ) == 0x0
 04082   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04083   388   NtOpenKey  (0x1, {24, 446, 0x40, 0, 0,  (0x1, {24, 446, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04084   388   NtClose  (442, ... ) == 0x0
 04085   388   NtClose  (430, ... ) == 0x0
 04086   388   NtClose  (446, ... ) == 0x0
 04087   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04088   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04089   388   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04090   388   NtOpenKey  (0x2000000, {24, 436, 0x40, 0, 0,  (0x2000000, {24, 436, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04091   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04092   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04093   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 444, ) }, ... 444, ) == 0x0
 04094   388   NtQueryKey  (446, Name, 392, ... {Name= (446, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 04095   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04096   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04097   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04098   388   NtClose  (428, ... ) == 0x0
 04099   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04100   388   NtQueryValueKey  (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (446, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 04101   388   NtQueryKey  (274, Name, 384, ... {Name= (274, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 04102   388   NtOpenKey  (0x2000000, {24, 274, 0x40, 0, 0,  (0x2000000, {24, 274, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04103   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 428, ) }, ... 428, ) == 0x0
 04104   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04105   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04106   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04107   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04108   388   NtClose  (440, ... ) == 0x0
 04109   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04110   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04111   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04112   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04113   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 04114   388   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04115   388   NtClose  (440, ... ) == 0x0
 04116   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04117   388   NtOpenKey  (0x2000000, {24, 430, 0x40, 0, 0, ""}, ... 440, ) == 0x0
 04118   388   NtClose  (430, ... ) == 0x0
 04119   388   NtQueryKey  (442, Name, 384, ... {Name= (442, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 04120   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04121   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 04122   388   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04123   388   NtClose  (428, ... ) == 0x0
 04124   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04125   388   NtOpenKey  (0x2000000, {24, 442, 0x40, 0, 0,  (0x2000000, {24, 442, 0x40, 0, 0, "shell\open"}, ... 428, ) }, ... 428, ) == 0x0
 04126   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04127   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04128   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04129   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04130   388   NtClose  (448, ... ) == 0x0
 04131   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04132   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04133   388   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04134   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04135   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04136   388   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04137   388   NtClose  (452, ... ) == 0x0
 04138   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04139   388   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04140   388   NtClose  (450, ... ) == 0x0
 04141   388   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04142   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04143   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04144   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04145   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04146   388   NtClose  (448, ... ) == 0x0
 04147   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04148   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04149   388   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04150   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04151   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04152   388   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04153   388   NtClose  (452, ... ) == 0x0
 04154   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04155   388   NtQueryValueKey  (450,  (450, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04156   388   NtClose  (450, ... ) == 0x0
 04157   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\lnti.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04158   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 04159   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04160   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04161   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04162   388   NtClose  (448, ... ) == 0x0
 04163   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04164   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04165   388   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04166   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04167   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04168   388   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04169   388   NtClose  (452, ... ) == 0x0
 04170   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04171   388   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04172   388   NtClose  (450, ... ) == 0x0
 04173   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04174   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04175   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04176   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04177   388   NtClose  (448, ... ) == 0x0
 04178   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04179   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04180   388   NtUserGetForegroundWindow  (... ) == 0x20064
 04181   388   NtQueryKey  (430, Name, 384, ... {Name= (430, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 04182   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04183   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 448, ) == 0x0
 04184   388   NtQueryInformationToken  (448, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04185   388   NtClose  (448, ... ) == 0x0
 04186   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04187   388   NtOpenKey  (0x1, {24, 430, 0x40, 0, 0,  (0x1, {24, 430, 0x40, 0, 0, "command"}, ... 448, ) }, ... 448, ) == 0x0
 04188   388   NtQueryKey  (450, Name, 392, ... {Name= (450, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 04189   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04190   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 452, ) == 0x0
 04191   388   NtQueryInformationToken  (452, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04192   388   NtClose  (452, ... ) == 0x0
 04193   388   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04194   388   NtQueryValueKey  (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (450, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 04195   388   NtClose  (450, ... ) == 0x0
 04196   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04197   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04198   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04199   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04200   388   NtQueryValueKey  (448,  (448, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04201   388   NtClose  (448, ... ) == 0x0
 04202   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04203   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04204   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04205   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04206   388   NtQueryValueKey  (448,  (448, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04207   388   NtClose  (448, ... ) == 0x0
 04208   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\lnti.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04209   388   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04210   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\lnti.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04211   388   NtReleaseSemaphore  (264, 1, ... 0, ) == 0x0
 04212   388   NtWaitForSingleObject  (264, 0, {0, 0}, ... ) == 0x0
 04213   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04214   388   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 448, ) }, ... 448, ) == 0x0
 04215   388   NtQueryValueKey  (448,  (448, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04216   388   NtClose  (448, ... ) == 0x0
 04217   388   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\lnti.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04218   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04219   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1228776, ... ) }, 1228776, ... ) == 0x0
 04220   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1229468, ... ) }, 1229468, ... ) == 0x0
 04221   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04222   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 04223   388   NtQueryVolumeInformationFile  (448, 1228776, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04224   388   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04225   388   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04226   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) == 0x0
 04227   388   NtQueryInformationFile  (452, 1227364, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04228   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 452, ... 456, ) == 0x0
 04229   388   NtMapViewOfSection  (456, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1400000), 0x0, 1028096, ) == 0x0
 04230   388   NtQueryInformationFile  (452, 1227460, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04231   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04232   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04233   388   NtQueryDirectoryFile  (460, 0, 0, 0, 1225024, 616, BothDirectory, 1,  (460, 0, 0, 0, 1225024, 616, BothDirectory, 1, "lnti.bat", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04234   388   NtClose  (460, ... ) == 0x0
 04235   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04236   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04237   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1224412, ... ) }, 1224412, ... ) == 0x0
 04238   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04239   388   NtQueryDirectoryFile  (460, 0, 0, 0, 1223772, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223772, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04240   388   NtClose  (460, ... ) == 0x0
 04241   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04242   388   NtQueryDirectoryFile  (460, 0, 0, 0, 1223772, 616, BothDirectory, 1,  (460, 0, 0, 0, 1223772, 616, BothDirectory, 1, "lnti.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 04243   388   NtClose  (460, ... ) == 0x0
 04244   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04245   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04246   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04247   388   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 460, {status=0x0, info=1}, ) }, 3, 96, ... 460, {status=0x0, info=1}, ) == 0x0
 04248   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 464, ) }, ... 464, ) == 0x0
 04249   388   NtQuerySymbolicLinkObject  (464, ...  (464, ... "\Device\WinDfs\U:00000000000091ad", 66, ) , 66, ) == 0x0
 04250   388   NtClose  (464, ... ) == 0x0
 04251   388   NtQueryVolumeInformationFile  (460, 1225164, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04252   388   NtClose  (460, ... ) == 0x0
 04253   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04254   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 460, ) == 0x0
 04255   388   NtQueryInformationToken  (460, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04256   388   NtClose  (460, ... ) == 0x0
 04257   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04258   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\lnti.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04259   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04260   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04261   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\lnti.bat"}, 1226692, ... ) }, 1226692, ... ) == 0x0
 04262   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04263   388   NtQueryDirectoryFile  (460, 0, 0, 0, 1226052, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226052, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04264   388   NtClose  (460, ... ) == 0x0
 04265   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 460, {status=0x0, info=1}, ) }, 3, 16417, ... 460, {status=0x0, info=1}, ) == 0x0
 04266   388   NtQueryDirectoryFile  (460, 0, 0, 0, 1226052, 616, BothDirectory, 1,  (460, 0, 0, 0, 1226052, 616, BothDirectory, 1, "lnti.bat", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 04267   388   NtClose  (460, ... ) == 0x0
 04268   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04269   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04270   388   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04271   388   NtQueryVolumeInformationFile  (448, 1227336, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04272   388   NtQueryInformationFile  (448, 1227316, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04273   388   NtQueryInformationFile  (448, 1227356, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04274   388   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04275   388   NtUnmapViewOfSection  (-1, 0x1400000, ... ) == 0x0
 04276   388   NtClose  (456, ... ) == 0x0
 04277   388   NtClose  (452, ... ) == 0x0
 04278   388   NtClose  (448, ... ) == 0x0
 04279   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1228752, ... ) }, 1228752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04280   388   NtQueryAttributesFile  ({24, 244, 0x40, 0, 0,  ({24, 244, 0x40, 0, 0, "cmd.exe"}, 1228752, ... ) }, 1228752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04281   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1228752, ... ) }, 1228752, ... ) == 0x0
 04282   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1229468, ... ) }, 1229468, ... ) == 0x0
 04283   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 448, {status=0x0, info=1}, ) }, 5, 96, ... 448, {status=0x0, info=1}, ) == 0x0
 04284   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 448, ... 452, ) == 0x0
 04285   388   NtQuerySection  (452, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04286   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04287   388   NtCreateProcessEx  (1231404, 2035711, 0, -1, 0, 452, 0, 0, 0, ... ) == 0x0
 04288   388   NtSetInformationProcess  (456, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04289   388   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=200,ParentPid=316,}, 0x0, ) == 0x0
 04290   388   NtReadVirtualMemory  (456, 0x7ffdf008, 4, ...  (456, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 04291   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04292   388   NtReadVirtualMemory  (456, 0x4ad00000, 4096, ...  (456, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 04293   388   NtReadVirtualMemory  (456, 0x4ad3b000, 256, ...  (456, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 04294   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04295   388   NtQueryInformationProcess  (456, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=200,ParentPid=316,}, 0x0, ) == 0x0
 04296   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1229468, ... ) }, 1229468, ... ) == 0x0
 04297   388   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 20971520, 4096, ) == 0x0
 04298   388   NtAllocateVirtualMemory  (456, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04299   388   NtWriteVirtualMemory  (456, 0x10000,  (456, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04300   388   NtAllocateVirtualMemory  (456, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 04301   388   NtWriteVirtualMemory  (456, 0x20000,  (456, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\08\0:\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 04302   388   NtWriteVirtualMemory  (456, 0x7ffdf010,  (456, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04303   388   NtWriteVirtualMemory  (456, 0x7ffdf1e8,  (456, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04304   388   NtFreeVirtualMemory  (-1, (0x1400000), 0, 32768, ... (0x1400000), 4096, ) == 0x0
 04305   388   NtAllocateVirtualMemory  (456, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04306   388   NtAllocateVirtualMemory  (456, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 04307   388   NtCreateThread  (0x1f03ff, 0x0, 456, 1229668, 1230388, 1, ... 460, {200, 208}, ) == 0x0
 04308   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1231500, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1231500, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\310\0\0\0\320\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\30\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2654, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\310\0\0\0\320\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\30\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 2654, 0}  (24, {168, 196, new_msg, 0, 0, 1231500, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\310\0\0\0\320\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\30\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2654, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\310\1\0\0\314\1\0\0\310\0\0\0\320\0\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\30\315\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04309   388   NtResumeThread  (460, ... 1, ) == 0x0
 04310   388   NtClose  (448, ... ) == 0x0
 04311   388   NtClose  (452, ... ) == 0x0
 04312   388   NtClose  (430, ... ) == 0x0
 04313   388   NtClose  (446, ... ) == 0x0
 04314   388   NtClose  (442, ... ) == 0x0
 04315   388   NtClose  (456, ... ) == 0x0
 04316   388   NtClose  (460, ... ) == 0x0
 04317   388   NtFreeVirtualMemory  (-1, (0x162000), 20480, 16384, ... (0x162000), 20480, ) == 0x0
 04318   388   NtGdiDeleteObjectApp  (218629228, ... ) == 0x1
 04319   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04320   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04321   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04322   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04323   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04324   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04325   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04326   388   NtUserGetClassInfo  (1989935104, 1233708, 1233660, 1233736, 0, ... ) == 0x0
 04327   388   NtUnmapViewOfSection  (-1, 0xff0000, ... ) == 0x0
 04328   388   NtClose  (392, ... ) == 0x0
 04329   388   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 04330   388   NtUserDestroyWindow  (131300, ...
 04331   388   NtUserRemoveProp  (131300, 43288, ... ) == 0xffffffff
 04332   388   NtUserRemoveProp  (131300, 43282, ... ) == 0x0
 04333   388   NtUserRemoveProp  (131300, 43287, ... ) == 0x0
 04330   388   NtUserDestroyWindow  ... ) == 0x1
 04334   388   NtUserUnregisterClass  (1234848, 1998258176, 1234836, ... ) == 0x1
 04335   388   NtClose  (296, ... ) == 0x0
 04336   388   NtClose  (288, ... ) == 0x0
 04337   388   NtClose  (292, ... ) == 0x0
 04338   388   NtClose  (268, ... ) == 0x0
 04339   388   NtClose  (284, ... ) == 0x0
 04340   388   NtClose  (316, ... ) == 0x0
 04341   388   NtClose  (320, ... ) == 0x0
 04342   388   NtClose  (312, ... ) == 0x0
 04343   388   NtClose  (304, ... ) == 0x0
 04344   388   NtClose  (308, ... ) == 0x0
 04345   388   NtClose  (332, ... ) == 0x0
 04346   388   NtClose  (336, ... ) == 0x0
 04347   388   NtClose  (324, ... ) == 0x0
 04348   388   NtClose  (328, ... ) == 0x0
 04349   388   NtClose  (356, ... ) == 0x0
 04350   388   NtClose  (348, ... ) == 0x0
 04351   388   NtClose  (352, ... ) == 0x0
 04352   388   NtClose  (340, ... ) == 0x0
 04353   388   NtClose  (344, ... ) == 0x0
 04354   388   NtClose  (360, ... ) == 0x0
 04355   388   NtClose  (364, ... ) == 0x0
 04356   388   NtClose  (376, ... ) == 0x0
 04357   388   NtClose  (380, ... ) == 0x0
 04358   388   NtClose  (368, ... ) == 0x0
 04359   388   NtClose  (372, ... ) == 0x0
 04360   388   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 04361   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1235724, ... ) }, 1235724, ... ) == 0x0
 04362   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1236416, ... ) }, 1236416, ... ) == 0x0
 04363   388   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 5, 96, ... 372, {status=0x0, info=1}, ) }, 5, 96, ... 372, {status=0x0, info=1}, ) == 0x0
 04364   388   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 372, ... 368, ) == 0x0
 04365   388   NtQueryVolumeInformationFile  (372, 1235724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04366   388   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04367   388   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04368   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 04369   388   NtQueryInformationFile  (380, 1234312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04370   388   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 380, ... 376, ) == 0x0
 04371   388   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1400000), 0x0, 1028096, ) == 0x0
 04372   388   NtQueryInformationFile  (380, 1234408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04373   388   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04374   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04375   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1231972, 616, BothDirectory, 1,  (364, 0, 0, 0, 1231972, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04376   388   NtClose  (364, ... ) == 0x0
 04377   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04378   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04379   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1231360, ... ) }, 1231360, ... ) == 0x0
 04380   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04381   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04382   388   NtClose  (364, ... ) == 0x0
 04383   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04384   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04385   388   NtClose  (364, ... ) == 0x0
 04386   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04387   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1,  (364, 0, 0, 0, 1230720, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04388   388   NtClose  (364, ... ) == 0x0
 04389   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04390   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04391   388   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 04392   388   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04393   388   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 04394   388   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04395   388   NtClose  (364, ... ) == 0x0
 04396   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04397   388   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\logon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04398   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04399   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04400   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1233640, ... ) }, 1233640, ... ) == 0x0
 04401   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04402   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04403   388   NtClose  (364, ... ) == 0x0
 04404   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04405   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04406   388   NtClose  (364, ... ) == 0x0
 04407   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 04408   388   NtQueryDirectoryFile  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1,  (364, 0, 0, 0, 1233000, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04409   388   NtClose  (364, ... ) == 0x0
 04410   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04411   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04412   388   NtWaitForSingleObject  (276, 0, {-1000000, -1}, ... ) == 0x0
 04413   388   NtQueryVolumeInformationFile  (372, 1234284, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04414   388   NtQueryInformationFile  (372, 1234264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 04415   388   NtQueryInformationFile  (372, 1234304, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04416   388   NtReleaseMutant  (276, ... 0x0, ) == 0x0
 04417   388   NtUnmapViewOfSection  (-1, 0x1400000, ... ) == 0x0
 04418   388   NtClose  (376, ... ) == 0x0
 04419   388   NtClose  (380, ... ) == 0x0
 04420   388   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04421   388   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logon.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04422   388   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 04423   388   NtOpenProcessToken  (-1, 0xa, ... 380, ) == 0x0
 04424   388   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04425   388   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 04426   388   NtQueryValueKey  (376,  (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (376, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 04427   388   NtClose  (376, ... ) == 0x0
 04428   388   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 376, ) }, ... 376, ) == 0x0
 04429   388   NtQuerySymbolicLinkObject  (376, ...  (376, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 04430   388   NtClose  (376, ... ) == 0x0
 04431   388   NtQueryInformationFile  (372, 1234076, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 04432   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04433   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04434   388   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe"}, 1232756, ... ) }, 1232756, ... ) == 0x0
 04435   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04436   388   NtQueryDirectoryFile  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 04437   388   NtClose  (376, ... ) == 0x0
 04438   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04439   388   NtQueryDirectoryFile  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 04440   388   NtClose  (376, ... ) == 0x0
 04441   388   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 04442   388   NtQueryDirectoryFile  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1,  (376, 0, 0, 0, 1232116, 616, BothDirectory, 1, "logon.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 04443   388   NtClose  (376, ... ) == 0x0
 04444   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04445   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04446   388   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 376, ) }, ... 376, ) == 0x0
 04447   388   NtQueryValueKey  (376,  (376, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04448   388   NtClose  (376, ... ) == 0x0
 04449   388   NtQueryInformationToken  (380, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 04450   388   NtQueryInformationToken  (380, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 04451   388   NtClose  (380, ... ) == 0x0
 04452   388   NtCreateProcessEx  (1238352, 2035711, 0, -1, 4, 368, 0, 0, 0, ... ) == 0x0
 04453   388   NtSetInformationProcess  (380, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 04454   388   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=212,ParentPid=316,}, 0x0, ) == 0x0
 04455   388   NtReadVirtualMemory  (380, 0x7ffdf008, 4, ...  (380, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 04456   388   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\logon.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04457   388   NtReadVirtualMemory  (380, 0x400000, 4096, ...  (380, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V\323\325s\22\262\273 \22\262\273 \22\262\273 L\220\260 \20\262\273 i\256\267 \21\262\273 \221\272\346 \36\262\273 \221\256\265 \25\262\273 }\255\277 \21\262\273 }\255\260 \23\262\273 \22\262\272 \266\262\273 $\224\260 /\262\273 Rich\22\262\273 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\340\253\231D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\260\0\0\0\20\0\0\0\360\0\0\0\300\2\0\0\0\1\0\0\260\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\260\1\0\220\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0", 4096, ) , 4096, ) == 0x0
 04458   388   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04459   388   NtQueryInformationProcess  (380, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=212,ParentPid=316,}, 0x0, ) == 0x0
 04460   388   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 16711680, 4096, ) == 0x0
 04461   388   NtAllocateVirtualMemory  (380, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 04462   388   NtWriteVirtualMemory  (380, 0x10000,  (380, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 04463   388   NtAllocateVirtualMemory  (380, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 04464   388   NtWriteVirtualMemory  (380, 0x20000,  (380, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\10\2\220\2\0\0\367\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 04465   388   NtWriteVirtualMemory  (380, 0x7ffdf010,  (380, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04466   388   NtWriteVirtualMemory  (380, 0x7ffdf1e8,  (380, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 04467   388   NtFreeVirtualMemory  (-1, (0xff0000), 0, 32768, ... (0xff0000), 4096, ) == 0x0
 04468   388   NtAllocateVirtualMemory  (380, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 04469   388   NtAllocateVirtualMemory  (380, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 04470   388   NtProtectVirtualMemory  (380, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 04471   388   NtCreateThread  (0x1f03ff, 0x0, 380, 1236616, 1237336, 1, ... 376, {212, 204}, ) == 0x0
 04472   388   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485384, 1238436}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485384, 1238436} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\324\0\0\0\314\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2672, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\324\0\0\0\314\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 388, 2672, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1485384, 1238436} "\0\0\0\0\0\0\1\0\2$\370w U\367w\177\1\0\0x\1\0\0\324\0\0\0\314\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 316, 388, 2672, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w|\1\0\0x\1\0\0\324\0\0\0\314\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\\0w\0o\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04473   388   NtResumeThread  (376, ... 1, ) == 0x0
 04474   388   NtClose  (372, ... ) == 0x0
 04475   388   NtClose  (368, ... ) == 0x0
 04476   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 368, ) == 0x0
 04477   388   NtYieldExecution  (... ) == 0x0
 04478   388   NtFreeVirtualMemory  (-1, (0x148000), 4096, 16384, ... (0x148000), 4096, ) == 0x0
 04479   388   NtClose  (96, ... ) == 0x0
 04480   388   NtClose  (92, ... ) == 0x0
 04481   388   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 04482   388   NtYieldExecution  (... ) == 0x0
 04483   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 04484   388   NtClearEvent  (212, ... ) == 0x0
 04485   388   NtClose  (212, ... ) == 0x0
 04486   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 04487   388   NtUnmapViewOfSection  (-1, 0x76fb0000, ... ) == 0x0
 04488   388   NtUnmapViewOfSection  (-1, 0x76f60000, ... ) == 0x0
 04489   388   NtUnmapViewOfSection  (-1, 0x71a50000, ... ) == 0x0
 04490   388   NtClose  (104, ... ) == 0x0
 04491   388   NtClose  (100, ... ) == 0x0
 04492   388   NtTerminateProcess  (0, 0, ...
 01711  1508   NtDelayExecution  ... ) == 0xc0
 01734  1512   NtDelayExecution  ... ) == 0xc0
 01743  1516   NtDelayExecution  ... ) == 0xc0
 03042   196   NtWaitForMultipleObjects  ... ) == 0xc0
 04492   388   NtTerminateProcess  ... ) == 0x0
 04493   388   NtRaiseException  (1238100, 1237360, 1, ...
 04494   388   NtContinue  (1236156, 0, ...
 04495   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04496   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04497   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04498   388   NtRaiseException  (1228076, 1227336, 1, ...
 04499   388   NtContinue  (1226132, 0, ...
 04500   388   NtWaitForSingleObject  (412, 0, 0x0, ... ) == 0x0
 04501   388   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04502   388   NtReleaseMutant  (412, ... 0x0, ) == 0x0
 04503   388   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 04504   388   NtClose  (424, ... ) == 0x0
 04505   388   NtClose  (420, ... ) == 0x0
 04506   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 04507   388   NtFreeVirtualMemory  (-1, (0xfd0000), 0, 32768, ... (0xfd0000), 65536, ) == 0x0
 04508   388   NtClose  (408, ... ) == 0x0
 04509   388   NtClose  (416, ... ) == 0x0
 04510   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 04511   388   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 416, ) }, ... 416, ) == 0x0
 04512   388   NtQueryValueKey  (416,  (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 04513   388   NtClose  (416, ... ) == 0x0
 04514   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 04515   388   NtFreeVirtualMemory  (-1, (0xfa0000), 0, 32768, ... (0xfa0000), 65536, ) == 0x0
 04516   388   NtUnmapViewOfSection  (-1, 0xe80000, ... ) == 0x0
 04517   388   NtClose  (384, ... ) == 0x0
 04518   388   NtFreeVirtualMemory  (-1, (0xe90000), 4096, 16384, ... (0xe90000), 4096, ) == 0x0
 04519   388   NtFreeVirtualMemory  (-1, (0xe90000), 0, 32768, ... (0xe90000), 65536, ) == 0x0
 04520   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 04521   388   NtFreeVirtualMemory  (-1, (0x15e000), 12288, 16384, ... (0x15e000), 12288, ) == 0x0
 04522   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 04523   388   NtUnmapViewOfSection  (-1, 0xe20000, ... ) == 0x0
 04524   388   NtClose  (240, ... ) == 0x0
 04525   388   NtGdiDeleteObjectApp  (34603849, ... ) == 0x1
 04526   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04527   388   NtUserBuildNameList  (40, 256, 1329616, 1238740, ... ) == 0x0
 04528   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04529   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xf0
 04530   388   NtUserBuildHwndList  (240, 0, 0, 0, 64, ... (0x3004c, 0x200c6, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x300e4, 0x500b2, 0x100d8, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20064, 0x100d6, 0x100cc, 0x100ca, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 41, ) == 0x0
 04531   388   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 04532   388   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 04533   388   NtUserQueryWindow  (131270, 0, ... ) == 0x774
 04534   388   NtUserQueryWindow  (131270, 1, ... ) == 0x784
 04535   388   NtUserQueryWindow  (65706, 0, ... ) == 0x7e4
 04536   388   NtUserQueryWindow  (65706, 1, ... ) == 0x7e8
 04537   388   NtUserQueryWindow  (65704, 0, ... ) == 0x7e4
 04538   388   NtUserQueryWindow  (65704, 1, ... ) == 0x7e8
 04539   388   NtUserQueryWindow  (65702, 0, ... ) == 0x7e4
 04540   388   NtUserQueryWindow  (65702, 1, ... ) == 0x7e8
 04541   388   NtUserQueryWindow  (131168, 0, ... ) == 0x7e4
 04542   388   NtUserQueryWindow  (131168, 1, ... ) == 0x7e8
 04543   388   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 04544   388   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 04545   388   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 04546   388   NtUserQueryWindow  (65664, 1, ... ) == 0x784
 04547   388   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 04548   388   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 04549   388   NtUserQueryWindow  (65666, 1, ... ) == 0x784
 04550   388   NtUserQueryWindow  (65670, 0, ... ) == 0x774
 04551   388   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 04552   388   NtUserQueryWindow  (65672, 0, ... ) == 0x774
 04553   388   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 04554   388   NtUserQueryWindow  (65674, 0, ... ) == 0x774
 04555   388   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 04556   388   NtUserQueryWindow  (65678, 0, ... ) == 0x774
 04557   388   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 04558   388   NtUserQueryWindow  (65680, 0, ... ) == 0x774
 04559   388   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 04560   388   NtUserQueryWindow  (65682, 0, ... ) == 0x774
 04561   388   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 04562   388   NtUserQueryWindow  (65684, 0, ... ) == 0x774
 04563   388   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 04564   388   NtUserQueryWindow  (65686, 0, ... ) == 0x774
 04565   388   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 04566   388   NtUserQueryWindow  (65690, 0, ... ) == 0x774
 04567   388   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 04568   388   NtUserQueryWindow  (65692, 0, ... ) == 0x774
 04569   388   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 04570   388   NtUserQueryWindow  (65694, 0, ... ) == 0x774
 04571   388   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 04572   388   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 04573   388   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 04574   388   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 04575   388   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 04576   388   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 04577   388   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 04578   388   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 04579   388   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 04580   388   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 04581   388   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 04582   388   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 04583   388   NtUserQueryWindow  (196670, 0, ... ) == 0x774
 04584   388   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 04585   388   NtUserQueryWindow  (196674, 0, ... ) == 0x774
 04586   388   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 04587   388   NtUserQueryWindow  (196672, 0, ... ) == 0x774
 04588   388   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 04589   388   NtUserQueryWindow  (196676, 0, ... ) == 0x774
 04590   388   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 04591   388   NtUserQueryWindow  (196678, 0, ... ) == 0x774
 04592   388   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 04593   388   NtUserQueryWindow  (196680, 0, ... ) == 0x774
 04594   388   NtUserQueryWindow  (196680, 1, ... ) == 0x784
 04595   388   NtUserQueryWindow  (65642, 0, ... ) == 0x774
 04596   388   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 04597   388   NtUserQueryWindow  (65646, 0, ... ) == 0x774
 04598   388   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 04599   388   NtUserQueryWindow  (65650, 0, ... ) == 0x774
 04600   388   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 04601   388   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 04602   388   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 04603   388   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 04604   388   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 04605   388   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 04606   388   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 04607   388   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 04608   388   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 04609   388   NtUserQueryWindow  (196836, 0, ... ) == 0xc8
 04610   388   NtUserQueryWindow  (196836, 1, ... ) == 0xd0
 04611   388   NtUserQueryWindow  (327858, 0, ... ) == 0x4d0
 04612   388   NtUserQueryWindow  (327858, 1, ... ) == 0x4c4
 04613   388   NtUserQueryWindow  (65752, 0, ... ) == 0x4d0
 04614   388   NtUserQueryWindow  (65752, 1, ... ) == 0x4c4
 04615   388   NtUserQueryWindow  (65726, 0, ... ) == 0x7ec
 04616   388   NtUserQueryWindow  (65726, 1, ... ) == 0x7f0
 04617   388   NtUserQueryWindow  (65724, 0, ... ) == 0x7ec
 04618   388   NtUserQueryWindow  (65724, 1, ... ) == 0x7f0
 04619   388   NtUserQueryWindow  (65722, 0, ... ) == 0x7ec
 04620   388   NtUserQueryWindow  (65722, 1, ... ) == 0x7f0
 04621   388   NtUserQueryWindow  (65720, 0, ... ) == 0x7ec
 04622   388   NtUserQueryWindow  (65720, 1, ... ) == 0x7f0
 04623   388   NtUserQueryWindow  (65718, 0, ... ) == 0x7ec
 04624   388   NtUserQueryWindow  (65718, 1, ... ) == 0x7f0
 04625   388   NtUserQueryWindow  (65716, 0, ... ) == 0x7ec
 04626   388   NtUserQueryWindow  (65716, 1, ... ) == 0x7f0
 04627   388   NtUserQueryWindow  (65712, 0, ... ) == 0x7ec
 04628   388   NtUserQueryWindow  (65712, 1, ... ) == 0x7f0
 04629   388   NtUserQueryWindow  (65710, 0, ... ) == 0x7ec
 04630   388   NtUserQueryWindow  (65710, 1, ... ) == 0x7f0
 04631   388   NtUserQueryWindow  (131172, 0, ... ) == 0x7f8
 04632   388   NtUserQueryWindow  (131172, 1, ... ) == 0x7fc
 04633   388   NtUserQueryWindow  (65750, 0, ... ) == 0x774
 04634   388   NtUserQueryWindow  (65750, 1, ... ) == 0x4f8
 04635   388   NtUserQueryWindow  (65740, 0, ... ) == 0x774
 04636   388   NtUserQueryWindow  (65740, 1, ... ) == 0x4f8
 04637   388   NtUserBuildHwndList  (0, 65740, 1, 0, 64, ... (0x100ce, 0x100d0, 0x100d2, 0x100d4, 0x1, ), 5, ) == 0x0
 04638   388   NtUserQueryWindow  (65742, 0, ... ) == 0x774
 04639   388   NtUserQueryWindow  (65742, 1, ... ) == 0x4f8
 04640   388   NtUserQueryWindow  (65744, 0, ... ) == 0x774
 04641   388   NtUserQueryWindow  (65744, 1, ... ) == 0x4f8
 04642   388   NtUserQueryWindow  (65746, 0, ... ) == 0x774
 04643   388   NtUserQueryWindow  (65746, 1, ... ) == 0x4f8
 04644   388   NtUserQueryWindow  (65748, 0, ... ) == 0x774
 04645   388   NtUserQueryWindow  (65748, 1, ... ) == 0x4f8
 04646   388   NtUserQueryWindow  (65738, 0, ... ) == 0x774
 04647   388   NtUserQueryWindow  (65738, 1, ... ) == 0x784
 04648   388   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 04649   388   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 04650   388   NtUserQueryWindow  (131166, 0, ... ) == 0x7dc
 04651   388   NtUserQueryWindow  (131166, 1, ... ) == 0x7e0
 04652   388   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 04653   388   NtUserQueryWindow  (65644, 1, ... ) == 0x7b0
 04654   388   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 04655   388   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 04656   388   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 04657   388   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 04658   388   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 04659   388   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 04660   388   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 04661   388   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 04662   388   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 04663   388   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 04664   388   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 04665   388   NtUserQueryWindow  (65656, 0, ... ) == 0x774
 04666   388   NtUserQueryWindow  (65656, 1, ... ) == 0x778
 04667   388   NtUserQueryWindow  (65658, 0, ... ) == 0x774
 04668   388   NtUserQueryWindow  (65658, 1, ... ) == 0x778
 04669   388   NtUserCloseDesktop  (240, ...
 04670   388   NtClose  (240, ... ) == 0x0
 04669   388   NtUserCloseDesktop  ... ) == 0x1
 04671   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04672   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04673   388   NtUserGetProcessWindowStation  (... ) == 0x28
 04674   388   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 04675   388   NtGdiDeleteObjectApp  (50987847, ... ) == 0x1
 04676   388   NtGdiDeleteObjectApp  (50987846, ... ) == 0x1
 04677   388   NtClose  (12, ... ) == 0x0
 04678   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 04679   388   NtFreeVirtualMemory  (-1, (0x158000), 16384, 16384, ... (0x158000), 16384, ) == 0x0
 04680   388   NtFreeVirtualMemory  (-1, (0xde0000), 0, 32768, ... (0xde0000), 262144, ) == 0x0
 04681   388   NtUserUnregisterClass  (1238700, 1991376896, 1238688, ... ) == 0x0
 04682   388   NtClose  (192, ... ) == 0x0
 04683   388   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 04684   388   NtClose  (196, ... ) == 0x0
 04685   388   NtClose  (188, ... ) == 0x0
 04686   388   NtFreeVirtualMemory  (-1, (0x151000), 4096, 16384, ... (0x151000), 4096, ) == 0x0
 04687   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 04688   388   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 262144, ) == 0x0
 04689   388   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04690   388   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04691   388   NtReleaseMutant  (76, ... 0x0, ) == 0x0
 04692   388   NtUserUnhookWindowsHookEx  (196667, ... ) == 0x1
 04693   388   NtTerminateThread  (80, 0, ... ) == 0x0
 04694   388   NtTerminateThread  (56, 0, ... ) == 0x0
 04695   388   NtTerminateThread  (72, 0, ... ) == 0x0
 04696   388   NtUserKillTimer  (0, 32761, ... ) == 0x1
 04697   388   NtClose  (84, ... ) == 0x0
 04698   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc03b
 04699   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04700   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc03d
 04701   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04702   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc03f
 04703   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04704   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc041
 04705   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04706   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc043
 04707   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04708   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc045
 04709   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04710   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc047
 04711   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04712   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc049
 04713   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04714   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc04b
 04715   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04716   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc04d
 04717   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04718   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc04f
 04719   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04720   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc051
 04721   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04722   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc053
 04723   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04724   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc057
 04725   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04726   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc059
 04727   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04728   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc05b
 04729   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04730   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc05d
 04731   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04732   388   NtUserGetClassInfo  (1999896576, 1238788, 1238740, 1238816, 0, ... ) == 0xc05f
 04733   388   NtUserUnregisterClass  (1238792, 1999896576, 1238780, ... ) == 0x1
 04734   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc03b
 04735   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04736   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc03d
 04737   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04738   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc03f
 04739   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04740   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc041
 04741   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04742   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc043
 04743   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04744   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc045
 04745   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04746   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc047
 04747   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04748   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc049
 04749   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04750   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc04b
 04751   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04752   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc04d
 04753   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04754   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc04f
 04755   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04756   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc051
 04757   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04758   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc053
 04759   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04760   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc057
 04761   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04762   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc059
 04763   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04764   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc05b
 04765   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04766   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc05d
 04767   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04768   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc05f
 04769   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04770   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc017
 04771   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04772   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc019
 04773   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04774   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc018
 04775   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04776   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc01a
 04777   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04778   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc01c
 04779   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04780   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc01e
 04781   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04782   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc01b
 04783   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04784   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc068
 04785   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04786   388   NtUserGetClassInfo  (1905590272, 1238788, 1238740, 1238816, 0, ... ) == 0xc06a
 04787   388   NtUserUnregisterClass  (1238792, 1905590272, 1238780, ... ) == 0x1
 04788   388   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 04789   388   NtFreeVirtualMemory  (-1, (0x175000), 4096, 16384, ... (0x175000), 4096, ) == 0x0
 04790   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 04791   388   NtClose  (264, ... ) == 0x0
 04792   388   NtClose  (432, ... ) == 0x0
 04793   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 04794   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 04795   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 04796   388   NtClose  (260, ... ) == 0x0
 04797   388   NtClose  (436, ... ) == 0x0
 04798   388   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 04799   388   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 04800   388   NtClose  (404, ... ) == 0x0
 04801   388   NtClose  (248, ... ) == 0x0
 04802   388   NtFreeVirtualMemory  (-1, (0x370000), 4096, 32768, ... (0x370000), 4096, ) == 0x0
 04803   388   NtClose  (388, ... ) == 0x0
 04804   388   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1239292, 2012553151, 1310720}  (24, {20, 48, new_msg, 0, 0, 1239292, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 388, 2735, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 316, 388, 2735, 0}  (24, {20, 48, new_msg, 0, 0, 1239292, 2012553151, 1310720} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 388, 2735, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04805   388   NtTerminateProcess  (-1, 0, ...
 04806   388   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtOpenDirectoryObject(>)	2	NtUserCallNoParam(>)	7	NtQueryDefaultLocale(>)	42
NtAllocateLocallyUniqueId(>)	1	NtQueryInstallUILanguage(>)	2	NtCreateThread(>)	8	NtContinue(>)	45
NtCallbackReturn(>)	1	NtSetEvent(>)	2	NtOpenSymbolicLinkObject(>)	8	NtCreateEvent(>)	46
NtDuplicateToken(>)	1	NtUnlockFile(>)	2	NtQuerySymbolicLinkObject(>)	8	NtUserUnregisterClass(>)	47
NtGdiCreateBitmap(>)	1	NtUserCloseDesktop(>)	2	NtQueryVirtualMemory(>)	8	NtUserFindExistingCursorIcon(>)	49
NtGdiCreateHalftonePalette(>)	1	NtUserCreateWindowEx(>)	2	NtRegisterThreadTerminatePort(>)	8	NtQueryInformationFile(>)	50
NtGdiCreatePaletteInternal(>)	1	NtUserDestroyWindow(>)	2	NtResumeThread(>)	8	NtSetInformationFile(>)	50
NtGdiCreatePatternBrushInternal(>)	1	NtUserGetObjectInformation(>)	2	NtReadVirtualMemory(>)	9	NtQueryDirectoryFile(>)	51
NtGdiDoPalette(>)	1	NtUserMessageCall(>)	2	NtQueryDefaultUILanguage(>)	10	NtCreateFile(>)	52
NtGdiInit(>)	1	NtYieldExecution(>)	2	NtUserGetWindowDC(>)	10	NtDelayExecution(>)	59
NtGdiQueryFontAssocInfo(>)	1	NtOpenMutant(>)	3	NtUserCallOneParam(>)	11	NtQueryInformationProcess(>)	63
NtGdiSelectBitmap(>)	1	NtOpenProcess(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	65
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	3	NtSetValueKey(>)	13	NtProtectVirtualMemory(>)	69
NtQueryFullAttributesFile(>)	1	NtTerminateThread(>)	3	NtWriteVirtualMemory(>)	16	NtUnmapViewOfSection(>)	72
NtQueryObject(>)	1	NtUserOpenDesktop(>)	3	NtNotifyChangeKey(>)	17	NtCreateSection(>)	73
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	3	NtOpenProcessToken(>)	17	NtWaitForSingleObject(>)	74
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	3	NtCreateKey(>)	18	NtOpenSection(>)	78
NtSecureConnectPort(>)	1	NtConnectPort(>)	4	NtDeviceIoControlFile(>)	18	NtReadFile(>)	83
NtUserBuildNameList(>)	1	NtCreateProcessEx(>)	4	NtUserRegisterWindowMessage(>)	19	NtUserGetClassInfo(>)	91
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtWriteFile(>)	19	NtQuerySystemInformation(>)	95
NtUserGetDC(>)	1	NtOpenEvent(>)	4	NtQueryVolumeInformationFile(>)	21	NtOpenProcessTokenEx(>)	112
NtUserGetForegroundWindow(>)	1	NtQueryInformationJobObject(>)	4	NtFsControlFile(>)	22	NtOpenThreadTokenEx(>)	112
NtUserGetGUIThreadInfo(>)	1	NtQueryInformationThread(>)	4	NtFreeVirtualMemory(>)	23	NtAllocateVirtualMemory(>)	120
NtUserGetThreadDesktop(>)	1	NtQuerySecurityObject(>)	4	NtRaiseException(>)	23	NtMapViewOfSection(>)	120
NtUserKillTimer(>)	1	NtUserWaitForInputIdle(>)	4	NtQueryDebugFilterState(>)	26	NtQueryKey(>)	129
NtUserSetProp(>)	1	NtCreateMutant(>)	5	NtReleaseSemaphore(>)	27	NtOpenFile(>)	130
NtUserSetTimer(>)	1	NtGdiGetStockObject(>)	5	NtFlushInstructionCache(>)	29	NtQueryInformationToken(>)	133
NtUserSetWindowsHookEx(>)	1	NtSetInformationObject(>)	5	NtRequestWaitReplyPort(>)	30	NtUserQueryWindow(>)	134
NtUserUnhookWindowsHookEx(>)	1	NtUserBuildHwndList(>)	5	NtEnumerateKey(>)	31	NtQueryAttributesFile(>)	183
NtAccessCheck(>)	2	NtUserGetProcessWindowStation(>)	5	NtSetInformationThread(>)	31	NtQueryValueKey(>)	372
NtClearEvent(>)	2	NtCreateSemaphore(>)	6	NtEnumerateValueKey(>)	33	NtOpenKey(>)	530
NtCreateIoCompletion(>)	2	NtGdiDeleteObjectApp(>)	6	NtOpenThreadToken(>)	36	NtClose(>)	713
NtGdiCreateSolidBrush(>)	2	NtSetEventBoostPriority(>)	6	NtSetInformationProcess(>)	36
NtGdiHfontCreate(>)	2	NtDuplicateObject(>)	7	NtQuerySection(>)	37
NtLockFile(>)	2